From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 4 Jun 2025 06:48:48 +0000 (+0200)
Subject: BUG/MINOR: mux-spop: Fix null-pointer deref on SPOP stream allocation failure
X-Git-Tag: v3.3-dev1~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c4bb8cab37f72c451bc7685eaf58cb1c2f5fae2;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-spop: Fix null-pointer deref on SPOP stream allocation failure

When we try to allocate a new SPOP stream, if an error is encountered,
spop_strm_destroy() is called to released the eventually allocated
stream. But, it must only be called if a stream was allocated. If the
reported error is an SPOP stream allocation failure, we must just leave to
avoid null-pointer dereference.

This patch should fix point 1 of the issue #2993. It must be backported as
far as 3.1.
---

diff --git a/src/mux_spop.c b/src/mux_spop.c
index 064068517..6baf2a2dc 100644
--- a/src/mux_spop.c
+++ b/src/mux_spop.c
@@ -1260,7 +1260,8 @@ static struct spop_strm *spop_stconn_new(struct spop_conn *spop_conn, struct stc
 
   out:
 	TRACE_DEVEL("leaving on error", SPOP_EV_SPOP_STRM_NEW|SPOP_EV_SPOP_STRM_END|SPOP_EV_SPOP_STRM_ERR, spop_conn->conn);
-	spop_strm_destroy(spop_strm);
+	if (spop_strm)
+		spop_strm_destroy(spop_strm);
 	return NULL;
 }