BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer

When parsing the agent-check reply, we first loop on the response to find
the newline character, to add a NULL-byte at the end of the line. However,
this loop is not bounded to the data available in the buffer. So it is
possible to read bytes outside the buffer and eventually write a NULL-byte
ouside the buffer.

So let's check for the end of the buffer when looping on the agent-check
reply.

This patch must be backported to all stable versions.

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index b7203d1faa0325ae3a07455595978c83bf101489..7a756c1d25001a47224cfbc806ffec119fbe8cc4 100644 (file)
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -989,7 +989,7 @@ enum tcpcheck_eval_ret tcpcheck_agent_expect_reply(struct check *check, struct t
        const char *sc = NULL; /* maxconn */
        const char *err = NULL; /* first error to report */
        const char *wrn = NULL; /* first warning to report */
-       char *cmd, *p;
+       char *cmd, *p, *end;
 
        TRACE_ENTER(CHK_EV_TCPCHK_EXP, check);
 
@@ -1018,10 +1018,11 @@ enum tcpcheck_eval_ret tcpcheck_agent_expect_reply(struct check *check, struct t
         */
 
        p = b_head(&check->bi);
-       while (*p && *p != '\n' && *p != '\r')
+       end = b_tail(&check->bi);
+       while (p < end && *p && *p != '\n' && *p != '\r')
                p++;
 
-       if (!*p) {
+       if (!*p || p == end) {
                if (!last_read)
                        goto wait_more_data;