From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 14 Jan 2025 06:39:48 +0000 (+0100)
Subject: BUG/MEDIUM: promex: Use right context pointers to dump backends extra-counters
X-Git-Tag: v3.2-dev4~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91578212d7cef7405f3631db43a086ac9f9ca162;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: promex: Use right context pointers to dump backends extra-counters

When backends extra counters are dumped, the wrong pointer was used in the
promex context to retrieve the stats module. p[1] must be used instead of
p[2]. Because of this typo, a infinite loop could be experienced if the
output buffer is full during this stage. But in all cases an overflow is
possible leading to a memory corruption.

This patch may be related to issue #2831. It must be backported as far as
3.0.
---

diff --git a/addons/promex/service-prometheus.c b/addons/promex/service-prometheus.c
index e0a20be499..0df71a6b0c 100644
--- a/addons/promex/service-prometheus.c
+++ b/addons/promex/service-prometheus.c
@@ -1037,7 +1037,7 @@ static int promex_dump_back_metrics(struct appctx *appctx, struct htx *htx)
 	static struct ist prefix = IST("haproxy_backend_");
 	struct promex_ctx *ctx = appctx->svcctx;
 	struct proxy *px = ctx->p[0];
-	struct stats_module *mod = ctx->p[2];
+	struct stats_module *mod = ctx->p[1];
 	struct server *sv;
 	struct field val;
 	struct channel *chn = sc_ic(appctx_sc(appctx));