Fix crash reproted via hackerone.

In new_connection we didn't validate if proxy-protocol header had correct number of items. Classic out-of-bounds.
cloudflare · May 20, 2020 · 53ee896 · 53ee896
1 parent bf51031
commit 53ee896
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -56,4 +56,4 @@ format:
 
 .PHONY: cloudflare-ip-ranges.txt
 cloudflare-ip-ranges.txt:
-	curl -s https://www.cloudflare.com/ips-v4 https://www.cloudflare.com/ips-v6 > cloudflare-ip-ranges.txt
+	curl -s https://www.cloudflare.com/ips-v4 https://www.cloudflare.com/ips-v6 | sort > cloudflare-ip-ranges.txt
diff --git a/cloudflare-ip-ranges.txt b/cloudflare-ip-ranges.txt
@@ -17,5 +17,5 @@
 2405:b500::/32
 2606:4700::/32
 2803:f800::/32
-2c0f:f248::/32
 2a06:98c0::/29
+2c0f:f248::/32
diff --git a/src/main.c b/src/main.c
@@ -80,8 +80,9 @@ coroutine void new_connection(int cd, struct state *state)
 		return;
 	}
 
-	/* Chop buf on \r\n. */
+	const char **words = NULL;
 
+	/* Chop buf on \r\n. */
 	char *nl = memchr(buf, '\n', rbytes);
 	if (nl == NULL) {
 		goto parseerror;
@@ -95,7 +96,10 @@ coroutine void new_connection(int cd, struct state *state)
 	buf[nbytes - 1] = '\0';
 	buf[nbytes] = '\0';
 
-	const char **words = parse_argv(buf, ' ');
+	words = parse_argv(buf, ' ');
+	if (argv_len(words) != 6) {
+		goto parseerror;
+	}
 	if (strcasecmp(words[0], "PROXY") != 0) {
 		goto parseerror;
 	}
@@ -123,8 +127,6 @@ coroutine void new_connection(int cd, struct state *state)
 		goto parseerror;
 	}
 
-	free(words);
-
 	char rstr[IPADDR_MAXSTRLEN + 7];
 	ipaddrstr_port(remote_addr, rstr);
 
@@ -166,6 +168,7 @@ coroutine void new_connection(int cd, struct state *state)
 	free(ch);
 
 disconnected:
+	free(words);
 	fdclean(cd);
 	close(cd);
 	fdclean(rs);
@@ -176,6 +179,7 @@ coroutine void new_connection(int cd, struct state *state)
 
 parseerror:
 	printf("[?] %s broke with bad proxy-protocol header\n", lstr);
+	free(words);
 	fdclean(cd);
 	close(cd);
 	return;

diff --git a/src/mmproxy.h b/src/mmproxy.h
@@ -49,6 +49,7 @@ int check_ip_rule(int ipv6, uint32_t mark, uint32_t table);
 int check_ip_route(int ipv6, uint32_t table);
 int set_nofile_max();
 int read_subnets(const char *fname, network **ptr_networks, int *ptr_networks_len);
+unsigned argv_len(const char **argv);
 
 /* net.c */
 ipaddr ipaddr_parse(const char *addr, int noport);
@@ -66,7 +67,6 @@ int net_find_match(network *networks, int networks_len, ipaddr addr);
 int ipport(ipaddr addr);
 
 
-
 #ifndef IP_TRANSPARENT
 # define IP_TRANSPARENT 19
 #endif