From 9cc9c6db93841fd9395749ac6f3d0646ed41f3ab Mon Sep 17 00:00:00 2001 From: Marcoen Hirschberg Date: Fri, 12 Feb 2016 17:05:24 +0100 Subject: BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation The first time I tried it (1.6.3) I got a segmentation fault :( After some investigation with gdb and valgrind I found the problem. memcpy() copies past an allocated buffer in "bind_parse_alpn". This patch fixes it. [wt: this fix must be backported into 1.6 and 1.5] (cherry picked from commit bef6091cff924aebb6d0006642db50b23ab2ee23) --- src/ssl_sock.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index a6c71dc..506684a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4669,9 +4669,12 @@ static int bind_parse_alpn(char **args, int cur_arg, struct proxy *px, struct bi free(conf->alpn_str); - /* the ALPN string is built as a suite of ( )* */ + /* the ALPN string is built as a suite of ( )*, + * so we reuse each comma to store the next and need + * one more for the end of the string. + */ conf->alpn_len = strlen(args[cur_arg + 1]) + 1; - conf->alpn_str = calloc(1, conf->alpn_len); + conf->alpn_str = calloc(1, conf->alpn_len + 1); memcpy(conf->alpn_str + 1, args[cur_arg + 1], conf->alpn_len); /* replace commas with the name length */ -- 1.7.12.1