From: Willy Tarreau <w@1wt.eu>
Date: Tue, 9 Aug 2016 09:55:21 +0000 (+0200)
Subject: BUG/MAJOR: server: the "sni" directive could randomly cause trouble
X-Git-Tag: v1.7-dev4~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e0565cc09517195ed50d5a121852b654c9d2b97;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: server: the "sni" directive could randomly cause trouble

The "sni" server directive does some bad stuff on many occasions because
it works on a sample of type string and limits len to size-1 by hand. The
problem is that size used to be zero on many occasions before the recent
changes to smp_dup() and that it effectively results in setting len to -1
and writing the zero byte *before* the string (and not terminating the
string).

This patch makes use of the recently introduced smp_make_safe() to address
this issue.

This fix must be backported to 1.6.
---

diff --git a/src/backend.c b/src/backend.c
index 2c9429975d..faf872c0b1 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1217,12 +1217,7 @@ int connect_server(struct stream *s)
 			/* restore the pointers */
 			b_adv(s->req.buf, rewind);
 
-			if (smp) {
-				/* get write access to terminate with a zero */
-				smp_dup(smp);
-				if (smp->data.u.str.len >= smp->data.u.str.size)
-					smp->data.u.str.len = smp->data.u.str.size - 1;
-				smp->data.u.str.str[smp->data.u.str.len] = 0;
+			if (smp_make_safe(smp)) {
 				ssl_sock_set_servername(srv_conn, smp->data.u.str.str);
 				srv_conn->flags |= CO_FL_PRIVATE;
 			}