From 591fc3a330005c289b4705fe4cb37c4eec9f9eed Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 8 Jan 2021 16:08:43 +0100 Subject: [PATCH] BUG/MINOR: sample: fix concat() converter's corruption with non-string variables Patrick Hemmer reported that calling concat() with an integer variable causes a %00 to appear at the beginning of the output. Looking at the code, it's not surprising. The function uses get_trash_chunk() to get one of the trashes, but can call casting functions which will also use their trash in turn and will cycle back to ours, causing the trash to be overwritten before being assigned to a sample. By allocating the trash from a pool using alloc_trash_chunk(), we can avoid this. However we must free it so the trash's contents must be moved to a permanent trash buffer before returning. This is what's achieved using smp_dup(). This should be backported as far as 2.0. --- src/sample.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sample.c b/src/sample.c index 21070e1..41d95d8 100644 --- a/src/sample.c +++ b/src/sample.c @@ -3000,7 +3000,7 @@ static int sample_conv_concat(const struct arg *arg_p, struct sample *smp, void struct sample tmp; int max; - trash = get_trash_chunk(); + trash = alloc_trash_chunk(); trash->data = smp->data.u.str.data; if (trash->data > trash->size - 1) trash->data = trash->size - 1; @@ -3052,6 +3052,8 @@ static int sample_conv_concat(const struct arg *arg_p, struct sample *smp, void smp->data.u.str = *trash; smp->data.type = SMP_T_STR; + smp_dup(smp); + free_trash_chunk(trash); return 1; } -- 1.7.10.4