BUG/MAJOR: checks: segfault during tcpcheck_main

When using TCP health checks (tcp-check connect), it is possible to
crash with a segfault when, for reasons yet to be understood, the
protocol family is unknown.

In the function tcpcheck_main(), proto is dereferenced without a prior
test in case it is NULL, leading to the segfault during proto->connect
dereference.

The line has been unmodified since it was introduced, in commit
69e273f3fcfbfb9cc0fb5a09668faad66cfbd36b.  This was the only use of
proto (or more specifically, the return of  protocol_by_family()) that
was unprotected; all other callsites perform the test for a NULL
pointer.

This patch should be backported to 1.9, 1.8, 1.7, and 1.6.

diff --git a/src/checks.c b/src/checks.c
index 35744c6b78c5df545aa49b343869f6791451b764..31004ddf893b16d128308b24731e0a4a76b3e239 100644 (file)
--- a/src/checks.c
+++ b/src/checks.c
@@ -2839,7 +2839,7 @@ static int tcpcheck_main(struct check *check)
                        cs_attach(cs, check, &check_conn_cb);
 
                        ret = SF_ERR_INTERNAL;
-                       if (proto->connect)
+                       if (proto && proto->connect)
                                ret = proto->connect(conn,
                                                     1 /* I/O polling is always needed */,
                                                     (next && next->action == TCPCHK_ACT_EXPECT) ? 0 : 2);