From: Willy Tarreau Date: Sun, 26 Apr 2026 11:51:16 +0000 (+0200) Subject: BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size() X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=1ef74fc7cec12eba7daeef0b44f96b1ad4f5e127;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size() The char tmp[10] buffer can only hold 8 hex digits + CRLF suffix. If chksz exceeds 4GB (0xFFFFFFFF), the do-while loop writes more than 8 hex digits, overflowing the stack buffer by 1+ bytes. In practice the buffer is aligned from the end and leaves a 6-byte hole before it on 64-bit systems, leaving enough room to be harmless, and 4 on 32-bit platforms which save it from touching lower variables. So it is safe but just by luck. Fix by increasing tmp[] to 18 bytes, sufficient for up to 16 hex digits (2^64 - 1) plus CRLF. --- diff --git a/src/mux_h1.c b/src/mux_h1.c index 5f3bc3ec0..5d9dcbbb9 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -1852,10 +1852,10 @@ static void h1_prepend_chunk_size(struct buffer *buf, size_t chksz, size_t lengt */ static int h1_append_chunk_size(struct buffer *buf, size_t chksz) { - char tmp[10]; + char tmp[18]; char *beg, *end; - beg = end = tmp+10; + beg = end = tmp+sizeof(tmp); *--beg = '\n'; *--beg = '\r'; do {