From 947ae125cc3a00c05a5356de177b732fdc55aab5 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 14 Oct 2021 08:11:48 +0200 Subject: [PATCH] BUG/MEDIUM: resolver: make sure to always use the correct hostname length In issue #1411, @jjiang-stripe reports that do-resolve() sometimes seems to be trying to resolve crap from random memory contents. The issue is that action_prepare_for_resolution() tries to measure the input string by itself using strlen(), while resolv_action_do_resolve() directly passes it a pointer to the sample, omitting the known length. Thus of course any other header present after the host in memory are appended to the host value. It could theoretically crash if really unlucky, with a buffer that does not contain any zero including in the index at the end, and if the HTX buffer ends on an allocation boundary. In practice it should be too low a probability to have ever been observed. This patch modifies the action_prepare_for_resolution() function to take the string length on with the host name on input and pass that down the chain. This should be backported to 2.0 along with commit "MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero". --- src/resolvers.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/resolvers.c b/src/resolvers.c index 66c787e..aec66be 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -2724,16 +2724,15 @@ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws); * Returns -1 in case of any allocation failure, 0 if not. * On error, a global failure counter is also incremented. */ -static int action_prepare_for_resolution(struct stream *stream, const char *hostname) +static int action_prepare_for_resolution(struct stream *stream, const char *hostname, int hostname_len) { char *hostname_dn; - int hostname_len, hostname_dn_len; + int hostname_dn_len; struct buffer *tmp = get_trash_chunk(); if (!hostname) return 0; - hostname_len = strlen(hostname); hostname_dn = tmp->area; hostname_dn_len = resolv_str_to_dn_label(hostname, hostname_len, hostname_dn, tmp->size); @@ -2763,7 +2762,6 @@ enum act_return resolv_action_do_resolve(struct act_rule *rule, struct proxy *px { struct resolv_resolution *resolution; struct sample *smp; - char *fqdn; struct resolv_requester *req; struct resolvers *resolvers; struct resolv_resolution *res; @@ -2824,8 +2822,7 @@ enum act_return resolv_action_do_resolve(struct act_rule *rule, struct proxy *px if (smp == NULL) goto end; - fqdn = smp->data.u.str.area; - if (action_prepare_for_resolution(s, fqdn) == -1) + if (action_prepare_for_resolution(s, smp->data.u.str.area, smp->data.u.str.data) == -1) goto end; /* on error, ignore the action */ s->resolv_ctx.parent = rule; -- 1.7.10.4