diff options
| author | Aurelien DARRAGON <adarragon@haproxy.com> | 2023-05-15 11:59:08 +0200 |
|---|---|---|
| committer | Christopher Faulet <cfaulet@haproxy.com> | 2023-05-17 16:49:17 +0200 |
| commit | b6a24a52a2efc597624521de752256a5c4ee5c5b (patch) | |
| tree | f5b5b8c7f438e899040d9d1e1efc364fd24f042b | |
| parent | 7428adaf0da600e9b80fc3857d24483656cb4f45 (diff) | |
| download | haproxy-b6a24a52a2efc597624521de752256a5c4ee5c5b.tar.gz | |
BUG/MINOR: debug: fix pointer check in debug_parse_cli_task()
Task pointer check in debug_parse_cli_task() computes the theoric end
address of provided task pointer to check if it is valid or not thanks to
may_access() helper function.
However, relative ending address is calculated by adding task size to 't'
pointer (which is a struct task pointer), thus it will result to incorrect
address since the compiler automatically translates 't + x' to
't + x * sizeof(*t)' internally (with sizeof(*t) != 1 here).
Solving the issue by using 'ptr' (which is the void * raw address) as
starting address to prevent automatic address scaling.
This was revealed by coverity, see GH #2157.
No backport is needed, unless 9867987 ("DEBUG: cli: add "debug dev task"
to show/wake/expire/kill tasks and tasklets") gets backported.
| -rw-r--r-- | src/debug.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/debug.c b/src/debug.c index 67711e14b..474a6647f 100644 --- a/src/debug.c +++ b/src/debug.c @@ -1004,7 +1004,7 @@ static int debug_parse_cli_task(char **args, char *payload, struct appctx *appct t = ptr; caller = t->caller; msg = NULL; - task_ok = may_access(t + sizeof(*t) - 1); + task_ok = may_access(ptr + sizeof(*t) - 1); chunk_reset(&trash); resolve_sym_name(&trash, NULL, (const void *)t->process); |