From ce5685395b0d19e907f3ff774d7082b383d05105 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 5 May 2026 12:22:51 +0200
Subject: [PATCH] - peers: fix OOB heap write in dictionary cache update  
 Resolves: RHEL-170588

---
 ...eap-write-in-dictionary-cache-update.patch | 40 +++++++++++++++++++
 haproxy.spec                                  |  7 +++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch

diff --git a/RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch b/RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch
new file mode 100644
index 0000000..a6a6a6d
--- /dev/null
+++ b/RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch
@@ -0,0 +1,40 @@
+--- a/src/peers.c	2026-05-05 13:18:36.102513859 +0200
++++ b/src/peers.c	2026-05-05 13:24:14.627824221 +0200
+@@ -289,6 +289,10 @@
+ 	{ .mask = PEERS_EV_SESSREL,    .name = "sessrl",       .desc = "peer session releasing" },
+ #define PEERS_EV_PROTOERR        (1 << 6)
+ 	{ .mask = PEERS_EV_PROTOERR,   .name = "protoerr",     .desc = "protocol error" },
++#define PEERS_EV_SESS_IO       (1ULL << 7)
++	{ .mask = PEERS_EV_SESS_IO,      .name = "sess_io",        .desc = "peer session I/O" },
++#define PEERS_EV_PROTO_ERR     (1ULL << 8)
++	{ .mask = PEERS_EV_PROTO_ERR,    .name = "proto_error",    .desc = "protocol error" },
+ 	{ }
+ };
+ 
+@@ -400,7 +404,7 @@
+ 		}
+ 	}
+ 
+-	if (mask & (PEERS_EV_SESSREL|PEERS_EV_PROTOERR)) {
++	if (mask & (PEERS_EV_SESSREL|PEERS_EV_PROTO_ERR)) {
+ 		if (a2) {
+ 			const struct peer *peer = a2;
+ 			struct peers *peers = NULL;
+@@ -2005,13 +2009,12 @@
+ 			}
+ 
+ 			dc = p->dcache;
++			if (id > dc->max_entries) {
++				TRACE_ERROR("malformed update message: invalid dict value", PEERS_EV_SESS_IO|PEERS_EV_PROTOERR, appctx, p, st);
++				goto malformed_unlock;
++			}
+ 			if (*msg_cur == end) {
+ 				/* Dictionary entry key without value. */
+-				if (id > dc->max_entries) {
+-					TRACE_PROTO("malformed message", PEERS_EV_UPDTMSG,
+-					            NULL, p, NULL, &id);
+-					goto malformed_unlock;
+-				}
+ 				/* IDs sent over the network are numbered from 1. */
+ 				de = dc->rx[id - 1].de;
+ 			}
diff --git a/haproxy.spec b/haproxy.spec
index 46a065a..1efe07c 100644
--- a/haproxy.spec
+++ b/haproxy.spec
@@ -8,7 +8,7 @@
 
 Name:           haproxy
 Version:        3.0.5
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments
 
 License:        GPL-2.0-or-later
@@ -22,6 +22,7 @@ Source4:        %{name}.sysconfig
 Source5:        %{name}.sysusers
 Source6:        halog.1
 Patch0:         RHEL-126653-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch
+Patch1:         RHEL-170588-peers-fix-OOB-heap-write-in-dictionary-cache-update.patch
 
 BuildRequires:  gcc
 BuildRequires:  lua-devel
@@ -133,6 +134,10 @@ echo "d /var/lib/haproxy 0755 root root - -" > %{buildroot}%{_tmpfilesdir}/%{nam
 %{_tmpfilesdir}/%{name}.conf
 
 %changelog
+* Tue May  5 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.0.5-7
+- peers: fix OOB heap write in dictionary cache update
+  Resolves: RHEL-170588
+
 * Thu Nov  6 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.0.5-6
 - Fix denial of service vulnerability in mjson library (CVE-2025-11230)
   Resolves: RHEL-126653