From: Christopher Faulet Date: Fri, 22 May 2026 15:10:28 +0000 (+0200) Subject: BUG/MEDIUM: cli: Fix parsing of pattern finishing a command payload X-Git-Tag: v3.4-dev14~61 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=41bb1c24f6eff46ce9cf83c1b64963056506bf95;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: cli: Fix parsing of pattern finishing a command payload When the dedidacted buffer to store the command payload was added (c5ae0da62 "MEDIUM: cli: Make a buffer for the command payload"), an bug was introduced. When the pattern finishing the command payload is found, it is removed from the buffer. A NULL-bytes is added before it, skipping the previous newline character. It worked well in all cases before the commit above, because the commandline was already parsed and was placed at the beginning of the cmdline buffer. So, there is always a line before the payload. Now, the payload is stored in a dedicated buffer. So there is nothing preceeding it in a buffer. If the payload is empty, we cannot rewind to the previous line to set the NULL-byte character. We must handle this case to avoid integer underflow on the payload buffer length. It is a 3.4-specific bug. No backport needed. --- diff --git a/src/cli.c b/src/cli.c index eab076dde..bb9231091 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1151,8 +1151,13 @@ int cli_parse_cmdline(struct appctx *appctx) */ if (len-1 == strlen(appctx->cli_ctx.payload_pat)) { if (strncmp(str, appctx->cli_ctx.payload_pat, len-1) == 0) { - /* end of payload was reached, rewind before the previous \n and replace it by a \0 */ - b_sub(buf, strlen(appctx->cli_ctx.payload_pat) + 2); + /* end of payload was reached, rewind before the previous \n, if any, and replace it by a \0 + * Otherwise, the payload is empty, just + */ + if (b_data(buf) > len) + b_sub(buf, len+1); + else + b_sub(buf, len); *b_tail(buf) = '\0'; appctx->st1 &= ~APPCTX_CLI_ST1_PAYLOAD; }