- peers: fix OOB heap write in dictionary cache update

Resolves: RHEL-170588
2026-05-05 12:22:51 +02:00 · 2026-05-05 12:22:51 +02:00 · ce5685395b
commit ce5685395b
parent 04b70258a9
2 changed files with 46 additions and 1 deletions
--- a/RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch
+++ b/RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch
@ -0,0 +1,40 @@
+--- a/src/peers.c	2026-05-05 13:18:36.102513859 +0200
+++ b/src/peers.c	2026-05-05 13:24:14.627824221 +0200
+@@ -289,6 +289,10 @@
+ 	{ .mask = PEERS_EV_SESSREL,    .name = "sessrl",       .desc = "peer session releasing" },
+ #define PEERS_EV_PROTOERR        (1 << 6)
+ 	{ .mask = PEERS_EV_PROTOERR,   .name = "protoerr",     .desc = "protocol error" },
+#define PEERS_EV_SESS_IO       (1ULL << 7)
+	{ .mask = PEERS_EV_SESS_IO,      .name = "sess_io",        .desc = "peer session I/O" },
+#define PEERS_EV_PROTO_ERR     (1ULL << 8)
+	{ .mask = PEERS_EV_PROTO_ERR,    .name = "proto_error",    .desc = "protocol error" },
+ 	{ }
+ };
+ 
+@@ -400,7 +404,7 @@
+ 		}
+ 	}
+ 
+-	if (mask & (PEERS_EV_SESSREL|PEERS_EV_PROTOERR)) {
+	if (mask & (PEERS_EV_SESSREL|PEERS_EV_PROTO_ERR)) {
+ 		if (a2) {
+ 			const struct peer *peer = a2;
+ 			struct peers *peers = NULL;
+@@ -2005,13 +2009,12 @@
+ 			}
+ 
+ 			dc = p->dcache;
+			if (id > dc->max_entries) {
+				TRACE_ERROR("malformed update message: invalid dict value", PEERS_EV_SESS_IO|PEERS_EV_PROTOERR, appctx, p, st);
+				goto malformed_unlock;
+			}
+ 			if (*msg_cur == end) {
+ 				/* Dictionary entry key without value. */
+-				if (id > dc->max_entries) {
+-					TRACE_PROTO("malformed message", PEERS_EV_UPDTMSG,
+-					            NULL, p, NULL, &id);
+-					goto malformed_unlock;
+-				}
+ 				/* IDs sent over the network are numbered from 1. */
+ 				de = dc->rx[id - 1].de;
+ 			}
--- a/haproxy.spec
+++ b/haproxy.spec
@ -8,7 +8,7 @@

 Name:           haproxy
 Version:        3.0.5
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments

 License:        GPL-2.0-or-later
@ -22,6 +22,7 @@ Source4:        %{name}.sysconfig
 Source5:        %{name}.sysusers
 Source6:        halog.1
 Patch0:         RHEL-126653-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch
+Patch1:         RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch

 BuildRequires:  gcc
 BuildRequires:  lua-devel
@ -133,6 +134,10 @@ echo "d /var/lib/haproxy 0755 root root - -" > %{buildroot}%{_tmpfilesdir}/%{nam
 %{_tmpfilesdir}/%{name}.conf

 %changelog
+* Tue May  5 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.0.5-7
+- peers: fix OOB heap write in dictionary cache update
+  Resolves: RHEL-170588
+
 * Thu Nov  6 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.0.5-6
 - Fix denial of service vulnerability in mjson library (CVE-2025-11230)
  Resolves: RHEL-126653