From: Willy Tarreau Date: Tue, 26 May 2026 07:23:48 +0000 (+0200) Subject: BUG/MINOR: ssl-hello: make use of the null-terminated servername X-Git-Tag: v3.4-dev14~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c41c731f5e0048ff9d79b5f2b009e0a53cafb6ef;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl-hello: make use of the null-terminated servername In ssl_sock_switchctx_cbk(), the servername is copied into the trash and null-terminated, but later in the call to strncpy() it's still used as-is, so anything that follows it will be copied as well, which is not really expected. Let's make the servername point to the trash after sanitizing it, like ssl_sock_switchcbk_wolfSSL_cbk() does. This can be backported to 2.6 since it was introduced with commit a996763619 ("BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error"). --- diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index 7d769611b..3148de24d 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -448,6 +448,7 @@ sni_lookup: for (i = 0; i < trash.size && i < servername_len; i++) trash.area[i] = tolower((unsigned char)servername[i]); trash.area[i] = 0; + servername = trash.area; HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); sni_ctx = ssl_sock_choose_sni_ctx(s, conn, trash.area, has_rsa_sig, has_ecdsa_sig);