From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Mon, 6 Jun 2016 16:28:05 +0000 (+0200)
Subject: BUG/MEDIUM: sticktables: segfault in some configuration error cases
X-Git-Tag: v1.7-dev4~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fc340ff07171bb85d11d835fa4158bbdef240a0;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: sticktables: segfault in some configuration error cases

When a stick table is tracked, and another one is used later on the
configuration, a segfault occurs.

The function "smp_create_src_stkctr" can return a NULL value, and
its value is not tested, so one other function try to dereference
a NULL pointer. This patch just add a verification of the NULL
pointer.

The problem is reproduced with this configuration:

   listen www
       mode http
       bind :12345
       tcp-request content track-sc0 src table IPv4
       http-request allow if { sc0_inc_gpc0(IPv6) gt 0 }
       server dummy 127.0.0.1:80
   backend IPv4
       stick-table type ip size 10 expire 60s store gpc0
   backend IPv6
       stick-table type ipv6 size 10 expire 60s store gpc0

Thank to kabefuna@gmail.com for the bug report.

This patch must be backported in the 1.6 and 1.5 version.
---

diff --git a/src/stream.c b/src/stream.c
index 2ca3b36006..fc113ec190 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -2821,7 +2821,7 @@ smp_fetch_sc_inc_gpc0(const struct arg *args, struct sample *smp, const char *kw
 	if (stkctr_entry(stkctr) == NULL)
 		stkctr = smp_create_src_stkctr(smp->sess, smp->strm, args, kw);
 
-	if (stkctr_entry(stkctr) != NULL) {
+	if (stkctr && stkctr_entry(stkctr)) {
 		void *ptr1,*ptr2;
 
 		/* First, update gpc0_rate if it's tracked. Second, update its