From: Willy Tarreau <w@1wt.eu>
Date: Fri, 3 Apr 2026 06:56:54 +0000 (+0200)
Subject: BUG/MINOR: cfgcond: always set the error string on openssl_version checks
X-Git-Tag: v3.4-dev8~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf04e64f2cd47e2f2ff3376d7313956dc8e9dee0;p=thirdparty%2Fhaproxy.git

BUG/MINOR: cfgcond: always set the error string on openssl_version checks

Using openssl_version_before() with an invalid argument results in "(null)"
appearing in the error message due to -1 being returned without the error
message being filled. Let's always fill the error message on error.

This was introduced in 2.5 with commit 3aeb3f9347 ("MINOR: cfgcond:
implements openssl_version_atleast and openssl_version_before"), and
this fix must be backported to 2.6.
---

diff --git a/src/cfgcond.c b/src/cfgcond.c
index 07fe9c8fc..9eebada3a 100644
--- a/src/cfgcond.c
+++ b/src/cfgcond.c
@@ -272,8 +272,10 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err)
 		case CFG_PRED_OSSL_VERSION_ATLEAST: { // checks if the current openssl version is at least this one
 			int opensslret = openssl_compare_current_version(term->args[0].data.str.area);
 
-			if (opensslret < -1) /* can't parse the string or no openssl available */
+			if (opensslret < -1) { /* can't parse the string or no openssl available */
+				memprintf(err, "invalid argument to conditional expression predicate '%s': '%s'", term->pred->word, term->args[0].data.str.area);
 				ret = -1;
+			}
 			else
 				ret = opensslret <= 0;
 			break;
@@ -281,8 +283,10 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err)
 		case CFG_PRED_OSSL_VERSION_BEFORE: { // checks if the current openssl version is older than this one
 			int opensslret = openssl_compare_current_version(term->args[0].data.str.area);
 
-			if (opensslret < -1) /* can't parse the string or no openssl available */
+			if (opensslret < -1) { /* can't parse the string or no openssl available */
+				memprintf(err, "invalid argument to conditional expression predicate '%s': '%s'", term->pred->word, term->args[0].data.str.area);
 				ret = -1;
+			}
 			else
 				ret = opensslret > 0;
 			break;