From: Dragan Dosen <ddosen@haproxy.com>
Date: Mon, 4 May 2020 07:07:28 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
X-Git-Tag: v2.2-dev7~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f35d69e7fc13aab89afcf394c5b96133d3060c1a;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()

After we call SSL_SESSION_get_id(), the length of the id in bytes is
stored in "len", which was never checked. This could cause unexpected
behavior when using the "ssl_fc_session_id" or "ssl_bc_session_id"
fetchers (eg. the result can be an empty value).

The issue was introduced with commit 105599c ("BUG/MEDIUM: ssl: fix
several bad pointer aliases in a few sample fetch functions").

This patch must be backported to 2.1, 2.0, and 1.9.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6462c3e592..c4f9a86ad5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8706,7 +8706,7 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
 		return 0;
 
 	smp->data.u.str.area = (char *)SSL_SESSION_get_id(ssl_sess, &len);
-	if (!smp->data.u.str.area || !smp->data.u.str.data)
+	if (!smp->data.u.str.area || !len)
 		return 0;
 
 	smp->data.u.str.data = len;