From: Willy Tarreau <w@1wt.eu>
Date: Tue, 26 May 2026 07:36:12 +0000 (+0200)
Subject: BUG/MINOR: addons/51d: NUL-terminate headers before passing them to Trie API
X-Git-Tag: v3.4-dev14~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93f9ecbfe62a8ede2ab86dd1cb858f972697cd83;p=thirdparty%2Fhaproxy.git

BUG/MINOR: addons/51d: NUL-terminate headers before passing them to Trie API

_51d_set_device_offsets() passes ctx.value.ptr directly to
fiftyoneDegreesGetDeviceOffset() which expects a null-terminated string.
Let's copy it through the trash first, to avoid possibly surronding
garbage.

This can be backported to all versions.
---

diff --git a/addons/51degrees/51d.c b/addons/51degrees/51d.c
index a00da8d48..5642e9ed9 100644
--- a/addons/51degrees/51d.c
+++ b/addons/51degrees/51d.c
@@ -303,6 +303,7 @@ static void _51d_init_device_offsets(fiftyoneDegreesDeviceOffsets *offsets) {
 
 static void _51d_set_device_offsets(struct sample *smp, fiftyoneDegreesDeviceOffsets *offsets)
 {
+	struct buffer *temp = get_trash_chunk();
 	struct channel *chn;
 	struct htx *htx;
 	struct http_hdr_ctx ctx;
@@ -324,7 +325,15 @@ static void _51d_set_device_offsets(struct sample *smp, fiftyoneDegreesDeviceOff
 
 		if (http_find_header(htx, name, &ctx, 1)) {
 			(offsets->firstOffset + offsets->size)->httpHeaderOffset = *(global_51degrees.header_offsets + i);
-			(offsets->firstOffset + offsets->size)->deviceOffset = fiftyoneDegreesGetDeviceOffset(&global_51degrees.data_set, ctx.value.ptr);
+			/* Copy value into trash and NUL-terminate before passing to the
+			 * 51Degrees Trie API, which expects a C string.
+			 */
+			if (ctx.value.len >= temp->size)
+				continue;
+			memcpy(temp->area, ctx.value.ptr, ctx.value.len);
+			temp->area[ctx.value.len] = '\0';
+			temp->data = ctx.value.len + 1;
+			(offsets->firstOffset + offsets->size)->deviceOffset = fiftyoneDegreesGetDeviceOffset(&global_51degrees.data_set, temp->area);
 			offsets->size++;
 		}
 	}