From: Willy Tarreau Date: Wed, 9 Apr 2014 11:25:42 +0000 (+0200) Subject: BUG/MAJOR: counters: check for null-deref when looking up an alternate table X-Git-Tag: v1.5-dev23~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a0b6bd648592e73f42fb8e7341bf984d26ba8dc;p=thirdparty%2Fhaproxy.git BUG/MAJOR: counters: check for null-deref when looking up an alternate table Constructions such as sc0_get_gpc0(foo) allow to look up the same key as the current key but in an alternate table. A check was missing to ensure we already have a key, resulting in a crash if this lookup is performed before the associated track-sc rule. This bug was reported on the mailing list by Neil@iamafreeman and narrowed down further by Lukas Tribus and Thierry Fournier. This bug was introduced in 1.5-dev20 by commit "0f791d4 MEDIUM: counters: support looking up a key in an alternate table". --- diff --git a/src/session.c b/src/session.c index efc0736ec0..cada0ab99f 100644 --- a/src/session.c +++ b/src/session.c @@ -2639,6 +2639,7 @@ static struct stkctr * smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw) { static struct stkctr stkctr; + struct stksess *stksess; unsigned int num = kw[2] - '0'; int arg = 0; @@ -2668,13 +2669,17 @@ smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw) * the sc[0-9]_ form, or even higher using sc_(num) if needed. * args[arg] is the first optional argument. */ + stksess = stkctr_entry(&l4->stkctr[num]); + if (!stksess) + return NULL; + if (unlikely(args[arg].type == ARGT_TAB)) { /* an alternate table was specified, let's look up the same key there */ stkctr.table = &args[arg].data.prx->table; - stkctr_set_entry(&stkctr, stktable_lookup(stkctr.table, stkctr_entry(&l4->stkctr[num]))); + stkctr_set_entry(&stkctr, stktable_lookup(stkctr.table, stksess)); return &stkctr; } - return stkctr_entry(&l4->stkctr[num]) ? &l4->stkctr[num] : NULL; + return &l4->stkctr[num]; } /* set return a boolean indicating if the requested session counter is