BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table

When a lookup is done on a key not present in the stick-table the "st"
pointer is NULL and it is used to return the converter result, but it
is used untested with stktable_release().

This regression was introduced in 1.8.10 here:

   BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters
   commit d7bd88009d88dd413e01bc0baa90d6662a3d7718
   Author: Daniel Corbett <dcorbett@haproxy.com>
   Date:   Sun May 27 09:47:12 2018 -0400

Minimal conf for reproducong the problem:

   frontend test
      mode http
      stick-table type ip size 1m expire 1h store gpc0
      bind *:8080
      http-request redirect location /a if { src,in_table(test) }

The segfault is triggered using:

   curl -i http://127.0.0.1:8080/

This patch must be backported in 1.8

diff --git a/src/stick_table.c b/src/stick_table.c
index 101a4e253f01d7389a0344f1c4bd80474d418129..42946545510d180f7cc3d88612a00b3871977189 100644 (file)
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -875,7 +875,8 @@ static int sample_conv_in_table(const struct arg *arg_p, struct sample *smp, voi
        smp->data.type = SMP_T_BOOL;
        smp->data.u.sint = !!ts;
        smp->flags = SMP_F_VOL_TEST;
-       stktable_release(t, ts);
+       if (ts)
+               stktable_release(t, ts);
        return 1;
 }