diff options
| author | Aurelien DARRAGON <adarragon@haproxy.com> | 2023-05-11 18:49:14 +0200 |
|---|---|---|
| committer | Christopher Faulet <cfaulet@haproxy.com> | 2023-05-12 09:45:30 +0200 |
| commit | d4dba38ab101eee4cbd0c8d8aa21181825ef6472 (patch) | |
| tree | bd6c8ec5355f597e16f0eced7bd2d47873ed8bd7 | |
| parent | 4cc2714ae2b40b84b1ee361dceab71a3acd8fb4a (diff) | |
| download | haproxy-d4dba38ab101eee4cbd0c8d8aa21181825ef6472.tar.gz | |
BUG/MINOR: errors: handle malloc failure in usermsgs_put()
usermsgs_buf.size is set without first checking if previous malloc
attempt succeeded.
This could fool the buffer API into assuming that the buffer is
initialized, resulting in unsafe read/writes.
Guarding usermsgs_buf.size assignment with the malloc attempt result
to make the buffer initialization safe against malloc failures.
This partially fixes GH #2130.
It should be backported up to 2.6.
| -rw-r--r-- | src/errors.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/errors.c b/src/errors.c index 2e9d6afb7..5913cb1d5 100644 --- a/src/errors.c +++ b/src/errors.c @@ -229,7 +229,8 @@ static void usermsgs_put(const struct ist *msg) /* Allocate the buffer if not already done. */ if (unlikely(b_is_null(&usermsgs_buf))) { usermsgs_buf.area = malloc(USER_MESSAGES_BUFSIZE * sizeof(char)); - usermsgs_buf.size = USER_MESSAGES_BUFSIZE; + if (usermsgs_buf.area) + usermsgs_buf.size = USER_MESSAGES_BUFSIZE; } if (likely(!b_is_null(&usermsgs_buf))) { |