BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table

Bryan Talbot reported a very interesting bug. The sc_trackers() sample
fetch seems to have escaped the sanitization that was performed during 1.5
to ensure all dereferences of stkctr_entry() were safe. Here if a tacker
is set on a backend and is then checked against a different backend where
the entry doesn't exist, stkctr_entry() returns NULL and this is dereferenced
to retrieve the ref count. Thanks to Bryan for his detailed bug report featuring
a working config and reproducer.

This fix must be backported to 1.6 and 1.5.

diff --git a/src/stream.c b/src/stream.c
index 172d78c8680b91e46de39f96530d5a2bf2649f0c..3eb5265db45bb07668c59837cf90391cfa45cd45 100644 (file)
--- a/src/stream.c
+++ b/src/stream.c
@@ -3262,7 +3262,7 @@ smp_fetch_sc_trackers(const struct arg *args, struct sample *smp, const char *kw
 
        smp->flags = SMP_F_VOL_TEST;
        smp->data.type = SMP_T_SINT;
-       smp->data.u.sint = stkctr_entry(stkctr)->ref_cnt;
+       smp->data.u.sint = stkctr_entry(stkctr) ? stkctr_entry(stkctr)->ref_cnt : 0;
        return 1;
 }