]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 28e94c6)
BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage
authorAurelien DARRAGON <adarragon@haproxy.com>
Tue, 22 Aug 2023 09:03:06 +0000 (11:03 +0200)
committerWilliam Lallemand <wlallemand@haproxy.org>
Fri, 25 Aug 2023 09:52:43 +0000 (11:52 +0200)
As reported by Coverity in GH #2253, stktable_data_ptr() usage in
hlua_stktable_dump() func is potentially unsafe because
stktable_data_ptr() may return NULL and the returned value is
dereferenced as-is without precautions.

In practise, this should not happen because some error checking was
already performed prior to calling stktable_data_ptr(). But since we're
using the safe stktable_data_ptr() function, all the error checking is
already done within the function, thus all we need to do is check ptr
against NULL instead to protect against NULL dereferences.

This should be backported in every stable versions.

src/hlua_fcn.c patch | blob | blame | history

diff --git a/src/hlua_fcn.c b/src/hlua_fcn.c
index 091a23e6fb787c8279bc30d829f2bbd916c83adb..9937082138ec867402f61dee05d60fb8868f085c 100644 (file)
--- a/src/hlua_fcn.c
+++ b/src/hlua_fcn.c
@@ -859,12 +859,12 @@ static void hlua_stktable_entry(lua_State *L, struct stktable *t, struct stksess
 
        for (dt = 0; dt < STKTABLE_DATA_TYPES; dt++) {
 
-               if (t->data_ofs[dt] == 0)
+               ptr = stktable_data_ptr(t, ts, dt);
+               if (!ptr)
                        continue;
 
                lua_pushstring(L, stktable_data_types[dt].name);
 
-               ptr = stktable_data_ptr(t, ts, dt);
                switch (stktable_data_types[dt].std_type) {
                case STD_T_SINT:
                        lua_pushinteger(L, stktable_data_cast(ptr, std_t_sint));
@@ -1056,10 +1056,9 @@ int hlua_stktable_dump(lua_State *L)
                /* multi condition/value filter */
                skip_entry = 0;
                for (i = 0; i < filter_count; i++) {
-                       if (t->data_ofs[filter[i].type] == 0)
-                               continue;
-
                        ptr = stktable_data_ptr(t, ts, filter[i].type);
+                       if (!ptr)
+                               continue;
 
                        switch (stktable_data_types[filter[i].type].std_type) {
                        case STD_T_SINT:
Mirror of https://github.com/haproxy/haproxy.git