BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end

When the end of the list is reached, the current step's action is checked
to know if we must poll or not. Unfortunately, the main reason for going
there is that we walked past the end of list and current_step points to
the head. We cannot dereference ->action since it does not belong to this
structure and can definitely crash if the address is not mapped.

This bug is unlikely to cause a crash since the action appears just after
the list, and corresponds to the "char *check_req" pointer in the proxy
struct, and it seems that we can't go there with current_step being null.
At worst it can cause the check to register for recv events.

This fix needs to be backported to 1.5 since the code is incorrect there
as well.

diff --git a/src/checks.c b/src/checks.c
index c8f7fdbc4eb520f54a5d4b81585c4e5bd999fb81..30523a733e2d5825819155936ca1315c2288e65e 100644 (file)
--- a/src/checks.c
+++ b/src/checks.c
@@ -2840,10 +2840,12 @@ static void tcpcheck_main(struct connection *conn)
        goto out_end_tcpcheck;
 
  out_need_io:
+       /* warning, current_step may now point to the head */
        if (check->bo->o)
                __conn_data_want_send(conn);
 
-       if (check->current_step->action == TCPCHK_ACT_EXPECT)
+       if (&check->current_step->list != head &&
+           check->current_step->action == TCPCHK_ACT_EXPECT)
                __conn_data_want_recv(conn);
        return;
 
@@ -2859,7 +2861,6 @@ static void tcpcheck_main(struct connection *conn)
                conn->flags |= CO_FL_ERROR;
 
        __conn_data_stop_both(conn);
-
        return;
 }