From: Aurelien DARRAGON Date: Mon, 19 Jan 2026 15:35:37 +0000 (+0100) Subject: BUG/MEDIUM: log: parsing log-forward options may result in segfault X-Git-Tag: v3.4-dev3~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9156d5f77582d2896fda9e77e08c065f88256e73;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: log: parsing log-forward options may result in segfault As reported by GH user @HiggsTeilchen on #3250, the use of "option dont-parse-log" may result in segmentation fault when parsing the configuration. In fact, "option assume-rfc6587-ntf" is also affected. The reason behind this is that cfg_parse_log_forward() leverages the cfg_parse_listen_match_option() function to check for generic proxy options that are relevant in the PR_MODE_SYSLOG context. And while it is not documented, this function assumes that the currently evaluated proxy is stored in the global variable 'curproxy', which cfg_parse_log_forward() doesn't offer. cfg_parse_listen_match_option() uses curproxy to check the currently evaluated proxy's capabilities is compatible with the option, so if a proxy with the frontend capability was defined earlier in the config, parsing would succeed, if curproxy points to proxy without the frontend capabilty (ie: backend), a warning would be emitted to tell that the option would be ignored while it is perfectly valid for the log-forward proxy, and if no proxy was defined earlier in the config a segfault would be triggered. To fix the issue, we explicitly make "curproxy" global variable point to the log-forward proxy being parsed in cfg_parse_log_forward() before leveraging cfg_parse_listen_match_option() to check for compatible options. It must be backported with 834e9af8 ("MINOR: log: add options eval for log-forward"), which was introduced in 3.2 precisely. --- diff --git a/src/log.c b/src/log.c index 3172ca861..9fc0d86aa 100644 --- a/src/log.c +++ b/src/log.c @@ -6276,7 +6276,10 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm) /* only consider options that are frontend oriented and log oriented, such options may be set * in px->options2 because px->options is already full of tcp/http oriented options + * also, cfg_parse_listen_match_option() assumes global curproxy variable points to + * currently evaluated proxy */ + curproxy = cfg_log_forward; if (cfg_parse_listen_match_option(file, linenum, kwm, cfg_opts3, &err_code, args, PR_MODE_SYSLOG, PR_CAP_FE, &cfg_log_forward->options3, &cfg_log_forward->no_options3))