From e41638af33d76660220ce2e3ed613e8a24fb6e55 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 24 Jan 2024 10:31:05 +0100 Subject: [PATCH] BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs The jwt_verify converter was added in 2.5 with commit 130e142ee2 ("MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity"). It takes a string on input and returns an integer. It turns out that by presetting the return value to zero before processing contents, while the sample data is a union, it overwrites the beginning of the buffer struct passed on input. On a 64-bit arch it's not an issue because it's where the allocated size is stored and it's not used in the operation, which explains why the regtest works. But on 32-bit, both the size and the pointer are overwritten, causing a NULL pointer to be passed to jwt_tokenize() which is not designed to support this, hence crashes. Let's just use a temporary variable to hold the result and move the output sample initialization to the end of the function. This should be backported as far as 2.5. --- src/sample.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/sample.c b/src/sample.c index 29967e07d9..89de612b3c 100644 --- a/src/sample.c +++ b/src/sample.c @@ -4270,9 +4270,7 @@ static int sample_conv_jwt_verify_check(struct arg *args, struct sample_conv *co static int sample_conv_jwt_verify(const struct arg *args, struct sample *smp, void *private) { struct sample alg_smp, key_smp; - - smp->data.type = SMP_T_SINT; - smp->data.u.sint = 0; + enum jwt_vrfy_status ret; smp_set_owner(&alg_smp, smp->px, smp->sess, smp->strm, smp->opt); smp_set_owner(&key_smp, smp->px, smp->sess, smp->strm, smp->opt); @@ -4281,9 +4279,10 @@ static int sample_conv_jwt_verify(const struct arg *args, struct sample *smp, vo if (!sample_conv_var2smp_str(&args[1], &key_smp)) return 0; - smp->data.u.sint = jwt_verify(&smp->data.u.str, &alg_smp.data.u.str, - &key_smp.data.u.str); + ret = jwt_verify(&smp->data.u.str, &alg_smp.data.u.str, &key_smp.data.u.str); + smp->data.type = SMP_T_SINT; + smp->data.u.sint = ret; return 1; } -- 2.39.5