From: Amaury Denoyelle Date: Wed, 21 Jul 2021 09:50:12 +0000 (+0200) Subject: BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request X-Git-Tag: v2.5-dev3~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5fcd428c35c45f7222b9aade0c0484fcdb558de9;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request Some ssl samples cause a segfault when the stream is not instantiated, for example during an invalid HTTP request. A new check is added to prevent the stream dereferencing if NULL. This is the list of the affected samples : - ssl_s_chain_der - ssl_s_der - ssl_s_i_dn - ssl_s_key_alg - ssl_s_notafter - ssl_s_notbefore - ssl_s_s_dn - ssl_s_serial - ssl_s_sha1 - ssl_s_sig_alg - ssl_s_version This bug can be reproduced easily by using one of these samples in a log-format string. Emit an invalid HTTP request with an HTTP client to trigger the crash. This bug has been reported in redmine issue 3913. This must be backported up to 2.2. --- diff --git a/src/ssl_sample.c b/src/ssl_sample.c index bfa61bdcd7..5509e1f227 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -101,7 +101,7 @@ smp_fetch_ssl_x_der(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -156,7 +156,7 @@ smp_fetch_ssl_x_chain_der(const struct arg *args, struct sample *smp, const char int i; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -219,7 +219,7 @@ smp_fetch_ssl_x_serial(const struct arg *args, struct sample *smp, const char *k SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); ssl = ssl_sock_get_ssl_object(conn); @@ -272,7 +272,7 @@ smp_fetch_ssl_x_sha1(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -323,7 +323,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -375,7 +375,7 @@ smp_fetch_ssl_x_i_dn(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -443,7 +443,7 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -495,7 +495,7 @@ smp_fetch_ssl_x_s_dn(const struct arg *args, struct sample *smp, const char *kw, SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -592,7 +592,7 @@ smp_fetch_ssl_x_version(const struct arg *args, struct sample *smp, const char * SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); ssl = ssl_sock_get_ssl_object(conn); @@ -637,7 +637,7 @@ smp_fetch_ssl_x_sig_alg(const struct arg *args, struct sample *smp, const char * SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); @@ -694,7 +694,7 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char * SSL *ssl; if (conn_server) - conn = cs_conn(objt_cs(smp->strm->si[1].end)); + conn = smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; else conn = objt_conn(smp->sess->origin); ssl = ssl_sock_get_ssl_object(conn);