From d69d6f367879c52013946026239cb7d56c9f6f2b Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 22 Jul 2015 16:45:36 +0200 Subject: [PATCH] BUG/MAJOR: dns: fix the length of the string to be copied Jan A. Bruder reported that some very specific hostnames on server lines were causing haproxy to crash on startup. Given that hist backtrace showed some heap corruption, it was obvious there was an overflow somewhere. The bug in fact is a typo in dns_str_to_dn_label() which mistakenly copies one extra byte from the host name into the output value, thus effectively corrupting the structure. The bug triggers while parsing the next server of similar length after the corruption, which generally triggers at config time but could theorically crash at any moment during runtime depending on what malloc sizes are needed next. This is why it's tagged major. No backport is needed, this bug was introduced in 1.6-dev2. --- src/dns.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dns.c b/src/dns.c index 37e041cf0..5bc57e560 100644 --- a/src/dns.c +++ b/src/dns.c @@ -947,7 +947,7 @@ char *dns_str_to_dn_label(const char *string, char *dn, int dn_len) if (dn_len < i + offset) return NULL; - i = strlen(string) + offset; + i = strlen(string); memcpy(dn + offset, string, i); dn[i + offset] = '\0'; /* avoid a '\0' at the beginning of dn string which may prevent the for loop