Bug in proxyv2_addr_store() length checks
Hi,
The PROXYv2 address block parser in proxyv2_addr_store()
does not use the sizeof()
operator correctly when performing the length checks (i.e., that the received packet is large enough to contain the PROXYv2 IPv4 or IPv6 address block that is about to be parsed). The buggy code is here:
This could allow malformed packets that are too small through the length check because sizeof(addr)
(4 or 8 bytes depending on CPU architecture) is smaller than sizeof(*addr)
(12 or 36 bytes depending on IPv4/IPv6 address family).
It looks like the original code had addr
as a stack variable which would have been correct but the sizeof()
expressions weren't updated when addr
became a pointer:
The attached patch should fix this.
Thanks!
0001-proxyv2_addr_store-Calculate-packet-bounds-correctly.patch