BUG/MEDIUM: promex: Use right context pointers to dump backends extra-counters

When backends extra counters are dumped, the wrong pointer was used in the
promex context to retrieve the stats module. p[1] must be used instead of
p[2]. Because of this typo, a infinite loop could be experienced if the
output buffer is full during this stage. But in all cases an overflow is
possible leading to a memory corruption.

This patch may be related to issue #2831. It must be backported as far as
3.0.

diff --git a/addons/promex/service-prometheus.c b/addons/promex/service-prometheus.c
index e0a20be499898e8031f3158b627f551c0c6a0a72..0df71a6b0ccb0d76c3c12860f0fdf4c63db29704 100644 (file)
--- a/addons/promex/service-prometheus.c
+++ b/addons/promex/service-prometheus.c
@@ -1037,7 +1037,7 @@ static int promex_dump_back_metrics(struct appctx *appctx, struct htx *htx)
        static struct ist prefix = IST("haproxy_backend_");
        struct promex_ctx *ctx = appctx->svcctx;
        struct proxy *px = ctx->p[0];
-       struct stats_module *mod = ctx->p[2];
+       struct stats_module *mod = ctx->p[1];
        struct server *sv;
        struct field val;
        struct channel *chn = sc_ic(appctx_sc(appctx));