BUG/MINOR: server: Missing calloc return value check in srv_parse_source

Two calloc calls were not checked in the srv_parse_source function.
Considering that this function could be called at runtime through a
dynamic server creation via the CLI, this could lead to an unfortunate
crash.

It was raised in GitHub issue #1233.
It could be backported to all stable branches even though the runtime
crash could only happen on branches where dynamic server creation is
possible.

diff --git a/include/haproxy/port_range.h b/include/haproxy/port_range.h
index c0d86591a75e12c8e5434d5e2e2e6a2f2ceda716..9e4379aff43422f584b1300578dd7f4cf9dd5cac 100644 (file)
--- a/include/haproxy/port_range.h
+++ b/include/haproxy/port_range.h
@@ -87,6 +87,8 @@ static inline struct port_range *port_range_alloc_range(int n)
        struct port_range *ret;
        ret = calloc(1, sizeof(struct port_range) +
                     (n + 1) * sizeof(((struct port_range *)0)->ports[0]));
+       if (!ret)
+               return NULL;
        ret->size = n + 1;
        /* Start at the first free element */
        ret->put_h = ret->put_t = n;

diff --git a/src/server.c b/src/server.c
index 49bd5450b73f8ece4c4d61db47eba639adb3d505..be4e6e156a27d134f959d02474a661fef218495d 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -1060,6 +1060,10 @@ static int srv_parse_source(char **args, int *cur_arg,
                int i;
 
                newsrv->conn_src.sport_range = port_range_alloc_range(port_high - port_low + 1);
+               if (!newsrv->conn_src.sport_range) {
+                       ha_alert("Server '%s': Out of memory (sport_range)\n", args[0]);
+                       goto err;
+               }
                for (i = 0; i < newsrv->conn_src.sport_range->size; i++)
                        newsrv->conn_src.sport_range->ports[i] = port_low + i;
        }
@@ -1096,6 +1100,10 @@ static int srv_parse_source(char **args, int *cur_arg,
                                newsrv->conn_src.opts |= CO_SRC_TPROXY_DYN;
                                free(newsrv->conn_src.bind_hdr_name);
                                newsrv->conn_src.bind_hdr_name = calloc(1, end - name + 1);
+                               if (!newsrv->conn_src.bind_hdr_name) {
+                                       ha_alert("Server '%s': Out of memory (bind_hdr_name)\n", args[0]);
+                                       goto err;
+                               }
                                newsrv->conn_src.bind_hdr_len = end - name;
                                memcpy(newsrv->conn_src.bind_hdr_name, name, end - name);
                                newsrv->conn_src.bind_hdr_name[end - name] = '\0';