upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-19 16:36:07 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size()

Browse source 
The char tmp[10] buffer can only hold 8 hex digits + CRLF suffix. If chksz
exceeds 4GB (0xFFFFFFFF), the do-while loop writes more than 8 hex digits,
overflowing the stack buffer by 1+ bytes. In practice the buffer is aligned
from the end and leaves a 6-byte hole before it on 64-bit systems, leaving
enough room to be harmless, and 4 on 32-bit platforms which save it from
touching lower variables. So it is safe but just by luck.

Fix by increasing tmp[] to 18 bytes, sufficient for up to 16 hex digits
(2^64 - 1) plus CRLF.
This commit is contained in:
Willy Tarreau 2026-04-26 13:51:16 +02:00
parent 5160b84c7a
commit 1ef74fc7ce
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/mux_h1.c
View file

@ -1852,10 +1852,10 @@ static void h1_prepend_chunk_size(struct buffer *buf, size_t chksz, size_t lengt
*/
static int h1_append_chunk_size(struct buffer *buf, size_t chksz)
{
char tmp[10];
char tmp[18];
char *beg, *end;
beg = end = tmp+10;
beg = end = tmp+sizeof(tmp);
*--beg = '\n';
*--beg = '\r';
do {