mirror of
https://github.com/haproxy/haproxy.git
synced 2026-02-03 20:39:41 -05:00
2608e348be
The first item inserted into an ebtree will be inserted directly below
the root, which is a simple struct eb_root which only holds two branch
pointers (left and right).
If we try to find a duplicated entry to this first leaf through a
ebmb_next_dup, our leaf_p pointer will point to the eb_root instead of a
complete eb_node so we cannot look for the bit part of our leaf_p since
it would try to cast our eb_root into an eb_node and perform an out of
bounds access when reading "eb_root_to_node(eb_untag(t,EB_LEFT)))->bit".
This bug was found by address sanitizer running on a CRL hot update VTC
test.
Note that the bug has been there since the import of the eb_next_dup()
and eb_prev_dup() function in 1.5-dev19 by commit
|
||
|---|---|---|
| .. | ||
| atomic-ops.h | ||
| eb32sctree.h | ||
| eb32tree.h | ||
| eb64tree.h | ||
| ebimtree.h | ||
| ebistree.h | ||
| ebmbtree.h | ||
| ebpttree.h | ||
| ebsttree.h | ||
| ebtree.h | ||
| ist.h | ||
| lru.h | ||
| mjson.h | ||
| plock.h | ||
| sha1.h | ||
| slz-tables.h | ||
| slz.h | ||
| xxhash.h | ||