BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values

tcpcheck_spop_expect_hello() stores the SPOA agent-supplied status-code
varint directly into check->code (signed short) without range validation.
The code is later used as an index into spop_err_reasons[100]. Let's
just replace invalid status codes with SPOP_ERR_UNKNOWN to avoid any
problem.

The SPOP tcp-check was introduced in 3.1 so this fix must be backported
to 3.2.

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 7a756c1d25001a47224cfbc806ffec119fbe8cc4..2ab1b2bf23572f09cadf0abf3a4be38ec6f94812 100644 (file)
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -834,6 +834,8 @@ enum tcpcheck_eval_ret tcpcheck_spop_expect_hello(struct check *check, struct tc
                                        goto invalid_frame;
                                if (decode_varint(&ptr, end, &sz) == -1)
                                        goto invalid_frame;
+                               if (sz >= SPOP_ERR_ENTRIES)
+                                       sz = SPOP_ERR_UNKNOWN;
                                check->code = sz;
                        }