BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation

The first time I tried it (1.6.3) I got a segmentation fault :(

After some investigation with gdb and valgrind I found the
problem. memcpy() copies past an allocated buffer in
"bind_parse_alpn". This patch fixes it.

[wt: this fix must be backported into 1.6 and 1.5]

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5cec6a4cd6ce5d16f9564e60fa57b24c46112bac..d68151be3ca5db9b0d5b6583b14b396ec1f27c64 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5279,9 +5279,12 @@ static int bind_parse_alpn(char **args, int cur_arg, struct proxy *px, struct bi
 
        free(conf->alpn_str);
 
-       /* the ALPN string is built as a suite of (<len> <name>)* */
+       /* the ALPN string is built as a suite of (<len> <name>)*,
+        * so we reuse each comma to store the next <len> and need
+        * one more for the end of the string.
+        */
        conf->alpn_len = strlen(args[cur_arg + 1]) + 1;
-       conf->alpn_str = calloc(1, conf->alpn_len);
+       conf->alpn_str = calloc(1, conf->alpn_len + 1);
        memcpy(conf->alpn_str + 1, args[cur_arg + 1], conf->alpn_len);
 
        /* replace commas with the name length */