No Description

0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch 1.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142
  1. From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
  2. From: Dave McCowan <11235david@gmail.com>
  3. Date: Thu, 17 Jul 2014 14:34:01 -0400
  4. Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
  5. building a proxy v2 header
  6. Use temporary trash chunk, instead of global trash chunk in
  7. make_proxy_line_v2() to avoid memory overwrite.
  8. This fix must also be backported to 1.5.
  9. (cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
  10. ---
  11. src/connection.c | 6 ++++--
  12. 1 file changed, 4 insertions(+), 2 deletions(-)
  13. diff --git a/src/connection.c b/src/connection.c
  14. index 20a911b..3435b1a 100644
  15. --- a/src/connection.c
  16. +++ b/src/connection.c
  17. @@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
  18. char *value = NULL;
  19. struct tlv_ssl *tlv;
  20. int ssl_tlv_len = 0;
  21. + struct chunk *cn_trash;
  22. #endif
  23. if (buf_len < PP2_HEADER_LEN)
  24. @@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
  25. tlv->verify = htonl(ssl_sock_get_verify_result(remote));
  26. }
  27. if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
  28. - if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
  29. - tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
  30. + cn_trash = get_trash_chunk();
  31. + if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
  32. + tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
  33. ssl_tlv_len += tlv_len;
  34. }
  35. }
  36. --
  37. 1.8.5.5