From: Remi Tricot-Le Breton Date: Wed, 12 May 2021 07:44:06 +0000 (+0200) Subject: BUG/MINOR: server: Missing calloc return value check in srv_parse_source X-Git-Tag: v2.5-dev1~227 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1800e64ef2428747e696b0ef2f78ab05a116dcc;p=thirdparty%2Fhaproxy.git BUG/MINOR: server: Missing calloc return value check in srv_parse_source Two calloc calls were not checked in the srv_parse_source function. Considering that this function could be called at runtime through a dynamic server creation via the CLI, this could lead to an unfortunate crash. It was raised in GitHub issue #1233. It could be backported to all stable branches even though the runtime crash could only happen on branches where dynamic server creation is possible. --- diff --git a/include/haproxy/port_range.h b/include/haproxy/port_range.h index c0d86591a7..9e4379aff4 100644 --- a/include/haproxy/port_range.h +++ b/include/haproxy/port_range.h @@ -87,6 +87,8 @@ static inline struct port_range *port_range_alloc_range(int n) struct port_range *ret; ret = calloc(1, sizeof(struct port_range) + (n + 1) * sizeof(((struct port_range *)0)->ports[0])); + if (!ret) + return NULL; ret->size = n + 1; /* Start at the first free element */ ret->put_h = ret->put_t = n; diff --git a/src/server.c b/src/server.c index 49bd5450b7..be4e6e156a 100644 --- a/src/server.c +++ b/src/server.c @@ -1060,6 +1060,10 @@ static int srv_parse_source(char **args, int *cur_arg, int i; newsrv->conn_src.sport_range = port_range_alloc_range(port_high - port_low + 1); + if (!newsrv->conn_src.sport_range) { + ha_alert("Server '%s': Out of memory (sport_range)\n", args[0]); + goto err; + } for (i = 0; i < newsrv->conn_src.sport_range->size; i++) newsrv->conn_src.sport_range->ports[i] = port_low + i; } @@ -1096,6 +1100,10 @@ static int srv_parse_source(char **args, int *cur_arg, newsrv->conn_src.opts |= CO_SRC_TPROXY_DYN; free(newsrv->conn_src.bind_hdr_name); newsrv->conn_src.bind_hdr_name = calloc(1, end - name + 1); + if (!newsrv->conn_src.bind_hdr_name) { + ha_alert("Server '%s': Out of memory (bind_hdr_name)\n", args[0]); + goto err; + } newsrv->conn_src.bind_hdr_len = end - name; memcpy(newsrv->conn_src.bind_hdr_name, name, end - name); newsrv->conn_src.bind_hdr_name[end - name] = '\0';