From: Christopher Faulet Date: Mon, 21 Oct 2019 08:53:34 +0000 (+0200) Subject: BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr X-Git-Tag: v2.1-dev3~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9fa88a1eac9bd0ad2cfb761c4b69fd500a1b056;p=thirdparty%2Fhaproxy.git BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr When a stick counter is fetched, it is important that the requested counter does not exceed (MAX_SESS_STKCTR -1). Actually, there is no bug with a default build because, by construction, MAX_SESS_STKCTR is defined to 3 and we know that we never exceed the max value. scN_* sample fetches are numbered from 0 to 2. For other sample fetches, the value is tested. But there is a bug if MAX_SESS_STKCTR is set to a lower value. For instance 1. In this case the counters sc1_* and sc2_* may be undefined. This patch fixes the issue #330. It must be backported as far as 1.7. --- diff --git a/src/stick_table.c b/src/stick_table.c index 3429d047cd..86ea3ceea5 100644 --- a/src/stick_table.c +++ b/src/stick_table.c @@ -2148,8 +2148,6 @@ smp_fetch_sc_stkctr(struct session *sess, struct stream *strm, const struct arg if (num == '_' - '0') { /* sc_* variant, args[0] = ctr# (mandatory) */ num = args[arg++].data.sint; - if (num >= MAX_SESS_STKCTR) - return NULL; } else if (num > 9) { /* src_* variant, args[0] = table */ struct stktable_key *key; @@ -2180,7 +2178,10 @@ smp_fetch_sc_stkctr(struct session *sess, struct stream *strm, const struct arg * the sc[0-9]_ form, or even higher using sc_(num) if needed. * args[arg] is the first optional argument. We first lookup the * ctr form the stream, then from the session if it was not there. + * But we must be sure the counter does not exceed MAX_SESS_STKCTR. */ + if (num >= MAX_SESS_STKCTR) + return NULL; if (strm) stkptr = &strm->stkctr[num];