From: Amaury Denoyelle Date: Wed, 21 Feb 2024 15:10:43 +0000 (+0100) Subject: BUG/MINOR: ist: allocate nul byte on istdup X-Git-Tag: v3.0-dev4~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de0216758;p=thirdparty%2Fhaproxy.git BUG/MINOR: ist: allocate nul byte on istdup istdup() is documented as having the same behavior as strdup(). However, it may cause confusion as it allocates a block of input length, without an extra byte for \0 delimiter. This behavior is incoherent as in case of an empty string however a single \0 is allocated. This API inconsistency could cause a bug anywhere an IST is used as a C-string after istdup() invocation. Currently, the only found issue is with 'wait' CLI command using 'srv-unused'. This causes a buffer overflow due to ist0() invocation after istdup() for be_name and sv_name. Backport should be done to all stable releases. Even if no bug has been found outside of wait CLI implementation, it ensures the code is more consistent on every releases. --- diff --git a/include/import/ist.h b/include/import/ist.h index 16b86164ea..aff799dcb4 100644 --- a/include/import/ist.h +++ b/include/import/ist.h @@ -939,16 +939,13 @@ static inline void istfree(struct ist *ist) */ static inline struct ist istdup(const struct ist src) { - const size_t src_size = src.len; - - /* Allocate at least 1 byte to allow duplicating an empty string with - * malloc implementations that return NULL for a 0-size allocation. - */ - struct ist dst = istalloc(src_size ? src_size : 1); + /* Allocate 1 extra byte to add an extra \0 delimiter. */ + struct ist dst = istalloc(src.len + 1); if (isttest(dst)) { - istcpy(&dst, src, src_size); + istcpy(&dst, src, src.len); } + dst.ptr[dst.len] = '\0'; return dst; }