From: Alexander Stephan Date: Thu, 25 Jun 2026 09:02:06 +0000 (+0000) Subject: BUG/MINOR: sample: set SMP_F_CONST on srv_name fetch X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9475e69920f04174496caf71fcabf6e72824f5c2;p=thirdparty%2Fhaproxy.git BUG/MINOR: sample: set SMP_F_CONST on srv_name fetch smp_fetch_srv_name() stored a raw pointer to srv->id in the sample without setting SMP_F_CONST. Every other sibling id-pointer fetch (smp_fetch_be_name on px->id, smp_fetch_fe_name on fe->id, the SSL helpers using OBJ_nid2sn() / SSL_get_cipher_name(), etc.) correctly sets SMP_F_CONST to prevent in-place mutation by converters such as ,upper / ,lower / ,regsub. Without SMP_F_CONST, an expression like srv_name,lower would write into srv->id for the lifetime of the process. In practice this has gone unnoticed because srv->id is a private allocation that is never read back by name, but the bug is real and the divergence from the other id fetches is unintentional. This becomes more important with the introduction of runtime server renaming (next patch in series): SMP_F_CONST ensures that callers go through smp_make_rw() / smp_dup() before mutating, isolating the sample's bytes from the server's id storage. This is a stand-alone fix and should be backported. --- diff --git a/src/backend.c b/src/backend.c index efa90af98..d04466eea 100644 --- a/src/backend.c +++ b/src/backend.c @@ -3505,6 +3505,7 @@ smp_fetch_srv_name(const struct arg *args, struct sample *smp, const char *kw, v return 0; smp->data.type = SMP_T_STR; + smp->flags = SMP_F_CONST; smp->data.u.str.data = strlen(smp->data.u.str.area); return 1;