From: Willy Tarreau <w@1wt.eu>
Date: Wed, 16 Nov 2022 17:56:34 +0000 (+0100)
Subject: BUG/MEDIUM: ring: fix creation of server in uninitialized ring
X-Git-Tag: v2.7-dev9~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b662aabbfa32fb6ddeff4ff5f0e3031f12dafd3;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ring: fix creation of server in uninitialized ring

If a "ring" section initialization fails (e.g. due to a duplicate name,
invalid chars, or missing memory), any subsequent "server" statement that
appears in the same section will crash the config parser by dereferencing
the currently NULL cfg_sink. E.g:

    ring x
    ring x                 # fails on "already exists"
       server srv 1.1.1.1  # crashes on cfg_sink==NULL

All other statements have a test for this but "server" was missing it,
so this patch adds it.

Thanks to Joel Hutchinson for reporting this issue.

This must be backported as far as 2.2.
---

diff --git a/src/sink.c b/src/sink.c
index de1e9cfbf4..ef3d0f0f21 100644
--- a/src/sink.c
+++ b/src/sink.c
@@ -954,6 +954,12 @@ int cfg_parse_ring(const char *file, int linenum, char **args, int kwm)
 		cfg_sink->ctx.ring = ring_make_from_area(area, size);
 	}
 	else if (strcmp(args[0],"server") == 0) {
+		if (!cfg_sink || (cfg_sink->type != SINK_TYPE_BUFFER)) {
+			ha_alert("parsing [%s:%d] : unable to create server '%s'.\n", file, linenum, args[1]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto err;
+		}
+
 		err_code |= parse_server(file, linenum, args, cfg_sink->forward_px, NULL,
 		                         SRV_PARSE_PARSE_ADDR|SRV_PARSE_INITIAL_RESOLVE);
 	}