url2sa() still have an unfortunate case where it reads 1 byte too far,
it happens when no port or path are specified in the URL, and could
crash if the byte after the URL is not allocated (mostly with ASAN).
This case is never triggered in old versions of haproxy because url2sa
is used with buffers which are way bigger than the URL. It is only
triggered with the httpclient.
Should be bacported in every stable branches.
(cherry picked from commit
3d7a9186dd650dc4106a64bb57c49b990c3cbbeb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
6342cc533d56cc8d44b0c4e7f7f5fb39a2fd87cb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
e2e6cd95fa54f4bb312d73b448110d7a85fd4794)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
end++;
/* Decode port. */
- if (*end == ':') {
+ if (end < url + ulen && *end == ':') {
end++;
default_port = read_uint(&end, url + ulen);
}
curr += ret;
/* Decode port. */
- if (*curr == ':') {
+ if (curr < url + ulen && *curr == ':') {
curr++;
default_port = read_uint(&curr, url + ulen);
}
}
/* Decode port. */
- if (*end == ':') {
+ if (end < url + ulen && *end == ':') {
end++;
default_port = read_uint(&end, url + ulen);
}
projects / haproxy-2.3.git / commitdiff