From cb6e2e555ea578ca4002dc016b9b215a9d0d710c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= Date: Tue, 16 Dec 2025 16:09:39 +0000 Subject: [PATCH] ITS#9959 Nul-terminate addresses Debug(LDAP_DEBUG_CONNS, ...) gets these passed as %s, reaching just beyond the allocated buffer. --- servers/lloadd/backend.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/servers/lloadd/backend.c b/servers/lloadd/backend.c index 50f158cbab..68d78eae3d 100644 --- a/servers/lloadd/backend.c +++ b/servers/lloadd/backend.c @@ -255,17 +255,19 @@ upstream_name_cb( int result, struct evutil_addrinfo *res, void *arg ) } conn = ch_calloc( 1, sizeof(LloadPendingConnection) + - peerbv.bv_len + localbv.bv_len ); + peerbv.bv_len + 1 + localbv.bv_len + 1 ); LDAP_LIST_ENTRY_INIT( conn, next ); conn->backend = b; conn->fd = s; conn->localbv.bv_val = (char *)(conn + 1); memcpy( conn->localbv.bv_val, localbv.bv_val, localbv.bv_len ); + conn->localbv.bv_val[localbv.bv_len] = '\0'; conn->localbv.bv_len = localbv.bv_len; - conn->peerbv.bv_val = conn->localbv.bv_val + localbv.bv_len; + conn->peerbv.bv_val = conn->localbv.bv_val + localbv.bv_len + 1; memcpy( conn->peerbv.bv_val, peerbv.bv_val, peerbv.bv_len ); + conn->peerbv.bv_val[peerbv.bv_len] = '\0'; conn->peerbv.bv_len = peerbv.bv_len; conn->event = event_new( lload_get_base( s ), s, EV_WRITE|EV_PERSIST, -- 2.47.3