From: Aurelien DARRAGON Date: Tue, 28 Nov 2023 14:47:25 +0000 (+0100) Subject: BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request() X-Git-Tag: v2.9-dev12~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3cbd369506e60d55354dd310d098ff6fd739bf4;p=thirdparty%2Fhaproxy.git BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request() This bug was introduced in ead43fe4f2 ("MEDIUM: compression: Make it so we can compress requests as well.") 2 cases where not properly handled, resulting in 2 possible NULL dereferences leading to crashes in the function at runtime: - when the backend didn't define any compression options so its comp pointer is NULL (ie: if only the frontend defines some comp options) - when both the frontend and the backend didn't set a compression algo but at least one of the two defined some other comp options (comp pointer set) For the first case, we added the missing checks to make sure we don't read ->comp pointer if it is NULL. For the second case, we properly return from the function if no compression algo is defined, because there is no default value that could be used as a fallback. This should be backported to 2.8. --- diff --git a/src/flt_http_comp.c b/src/flt_http_comp.c index d34b56a86d..30f9d2a628 100644 --- a/src/flt_http_comp.c +++ b/src/flt_http_comp.c @@ -183,10 +183,12 @@ comp_prepare_compress_request(struct comp_state *st, struct stream *s, struct ht if (txn->meth == HTTP_METH_HEAD) return; - if (s->be->comp->algo_req != NULL) + if (s->be->comp && s->be->comp->algo_req != NULL) st->comp_algo[COMP_DIR_REQ] = s->be->comp->algo_req; - else if (strm_fe(s)->comp->algo_req != NULL) + else if (strm_fe(s)->comp && strm_fe(s)->comp->algo_req != NULL) st->comp_algo[COMP_DIR_REQ] = strm_fe(s)->comp->algo_req; + else + goto fail; /* no algo selected: nothing to do */ /* limit compression rate */