From: Willy Tarreau <w@1wt.eu>
Date: Fri, 25 Oct 2019 08:06:55 +0000 (+0200)
Subject: BUG/MEDIUM: debug: address a possible null pointer dereference in "debug dev stream"
X-Git-Tag: v2.1-dev3~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2fee0406ddf7dfc3a29617ac2eccf20d7ebd03e;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: debug: address a possible null pointer dereference in "debug dev stream"

As reported in issue #343, there is one case where a NULL stream can
still be dereferenced, when getting &s->txn->flags. Let's protect all
assignments to stay on the safe side for future additions.

No backport is needed.
---

diff --git a/src/debug.c b/src/debug.c
index 8df2993492..fe2fe310c9 100644
--- a/src/debug.c
+++ b/src/debug.c
@@ -443,35 +443,35 @@ static int debug_parse_cli_stream(char **args, char *payload, struct appctx *app
 			end++;
 		name = ist2(word, end - word);
 		if (isteq(name, ist("strm"))) {
-			ptr = &s; size = sizeof(s);
+			ptr = (!s || !may_access(s)) ? NULL : &s; size = sizeof(s);
 		} else if (isteq(name, ist("strm.f"))) {
-			ptr = &s->flags; size = sizeof(s->flags);
+			ptr = (!s || !may_access(s)) ? NULL : &s->flags; size = sizeof(s->flags);
 		} else if (isteq(name, ist("txn.f"))) {
-			ptr = &s->txn->flags; size = sizeof(s->txn->flags);
+			ptr = (!s || !may_access(s)) ? NULL : &s->txn->flags; size = sizeof(s->txn->flags);
 		} else if (isteq(name, ist("req.f"))) {
-			ptr = &s->req.flags; size = sizeof(s->req.flags);
+			ptr = (!s || !may_access(s)) ? NULL : &s->req.flags; size = sizeof(s->req.flags);
 		} else if (isteq(name, ist("res.f"))) {
-			ptr = &s->res.flags; size = sizeof(s->res.flags);
+			ptr = (!s || !may_access(s)) ? NULL : &s->res.flags; size = sizeof(s->res.flags);
 		} else if (isteq(name, ist("req.r"))) {
-			ptr = &s->req.rex; size = sizeof(s->req.rex);
+			ptr = (!s || !may_access(s)) ? NULL : &s->req.rex; size = sizeof(s->req.rex);
 		} else if (isteq(name, ist("res.r"))) {
-			ptr = &s->res.rex; size = sizeof(s->res.rex);
+			ptr = (!s || !may_access(s)) ? NULL : &s->res.rex; size = sizeof(s->res.rex);
 		} else if (isteq(name, ist("req.w"))) {
-			ptr = &s->req.wex; size = sizeof(s->req.wex);
+			ptr = (!s || !may_access(s)) ? NULL : &s->req.wex; size = sizeof(s->req.wex);
 		} else if (isteq(name, ist("res.w"))) {
-			ptr = &s->res.wex; size = sizeof(s->res.wex);
+			ptr = (!s || !may_access(s)) ? NULL : &s->res.wex; size = sizeof(s->res.wex);
 		} else if (isteq(name, ist("sif.f"))) {
-			ptr = &s->si[0].flags; size = sizeof(s->si[0].flags);
+			ptr = (!s || !may_access(s)) ? NULL : &s->si[0].flags; size = sizeof(s->si[0].flags);
 		} else if (isteq(name, ist("sib.f"))) {
-			ptr = &s->si[1].flags; size = sizeof(s->si[1].flags);
+			ptr = (!s || !may_access(s)) ? NULL : &s->si[1].flags; size = sizeof(s->si[1].flags);
 		} else if (isteq(name, ist("sif.x"))) {
-			ptr = &s->si[0].exp; size = sizeof(s->si[0].exp);
+			ptr = (!s || !may_access(s)) ? NULL : &s->si[0].exp; size = sizeof(s->si[0].exp);
 		} else if (isteq(name, ist("sib.x"))) {
-			ptr = &s->si[1].exp; size = sizeof(s->si[1].exp);
+			ptr = (!s || !may_access(s)) ? NULL : &s->si[1].exp; size = sizeof(s->si[1].exp);
 		} else if (isteq(name, ist("sif.s"))) {
-			ptr = &s->si[0].state; size = sizeof(s->si[0].state);
+			ptr = (!s || !may_access(s)) ? NULL : &s->si[0].state; size = sizeof(s->si[0].state);
 		} else if (isteq(name, ist("sib.s"))) {
-			ptr = &s->si[1].state; size = sizeof(s->si[1].state);
+			ptr = (!s || !may_access(s)) ? NULL : &s->si[1].state; size = sizeof(s->si[1].state);
 		} else if (isteq(name, ist("wake"))) {
 			if (s && may_access(s) && may_access((void *)s + sizeof(*s) - 1))
 				task_wakeup(s->task, TASK_WOKEN_TIMER|TASK_WOKEN_IO|TASK_WOKEN_MSG);