[BUG] primary parent hash_string copy lacks the MAXDNAME bound already used for hostname #12954
Description
Hello Apache Traffic Server maintainers,
I would like to report what appears to be a real current-head overflow in the primary-parent configuration parsing path. I rechecked current upstream head on 2026-03-10 before writing this report.
I want to be careful about scope: this is a local configuration parsing bug, not a remotely triggerable HTTP request bug.
The current code explicitly checks the hostname length:
if (tmp - current > MAXDNAME) {
errPtr = "Parent hostname is too long";
goto MERROR;
}but then handles the optional &hash suffix with no analogous bound:
if (tmp3) {
memcpy(this->parents[i].hash_string, tmp3 + 1, strlen(tmp3));
this->parents[i].name = this->parents[i].hash_string;
}The destination field is:
char hash_string[MAXDNAME + 1];inside struct pRecord.
So current head already proves the intended maximum for the hostname field, but not for the hash suffix. If an administrator provides a parent entry with a very long &hash_string, the primary-parent branch copies strlen(tmp3) bytes starting at tmp3 + 1 into a fixed hash_string[MAXDNAME + 1] with no length check.
Why I do not think this is a false positive:
- the hostname check does not cover the
hash_stringbranch pRecordobjects are allocated in arrays, so overflowing the last field corrupts subsequent records- the path is real config parsing in
ParentSelection, not a synthetic test - the bug is visible directly in current-head code semantics
I am not claiming remote exploitability. The precise claim is: a crafted parent.config / parent-rule entry with an overlong &hash suffix overflows the primary hash_string field during configuration parsing.
The obvious fix is to apply a MAXDNAME bound to the hash_string suffix before the memcpy().
Best regards,
Pengpeng Hou