From: William Lallemand Date: Tue, 21 May 2024 09:01:59 +0000 (+0200) Subject: MINOR: ssl: check parameter in ckch_conf_cmp() X-Git-Tag: v3.0-dev13~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d74ba7cc24490d1ef53112b9a89e32c49a731fb0;p=thirdparty%2Fhaproxy.git MINOR: ssl: check parameter in ckch_conf_cmp() Check prev and new parameters in ckch_conf_cmp() so we don't dereference a NULL ptr. There is no risk since it's not used with a NULL ptr yet. Also remove the check that are done later, and do it at the beginning of the function. Should fix issue #2572. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index a354b9e3af..9961e025bc 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -4168,6 +4168,9 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err) int ret = 0; int i; + if (!prev || !new) + return 1; + /* compatibility check */ if (prev->used == CKCH_CONF_SET_EMPTY) { @@ -4197,8 +4200,8 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err) switch (ckch_conf_kws[i].type) { case PARSE_TYPE_STR: { char *avail1, *avail2; - avail1 = prev ? *(char **)((intptr_t)prev + (ptrdiff_t)ckch_conf_kws[i].offset) : NULL; - avail2 = new ? *(char **)((intptr_t)new + (ptrdiff_t)ckch_conf_kws[i].offset) : NULL; + avail1 = *(char **)((intptr_t)prev + (ptrdiff_t)ckch_conf_kws[i].offset); + avail2 = *(char **)((intptr_t)new + (ptrdiff_t)ckch_conf_kws[i].offset); /* must alert when strcmp is wrong, or when one of the field is NULL */ if (((avail1 && avail2) && strcmp(avail1, avail2) != 0) || (!!avail1 ^ !!avail2)) { @@ -4217,8 +4220,8 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err) int q1, q2; /* final ocsp-update value (from default) */ - o1 = prev ? *(int *)((intptr_t)prev + (ptrdiff_t)ckch_conf_kws[i].offset) : 0; - o2 = new ? *(int *)((intptr_t)new + (ptrdiff_t)ckch_conf_kws[i].offset) : 0; + o1 = *(int *)((intptr_t)prev + (ptrdiff_t)ckch_conf_kws[i].offset); + o2 = *(int *)((intptr_t)new + (ptrdiff_t)ckch_conf_kws[i].offset); q1 = (o1 == SSL_SOCK_OCSP_UPDATE_DFLT) ? global_ssl.ocsp_update.mode : o1; q2 = (o2 == SSL_SOCK_OCSP_UPDATE_DFLT) ? global_ssl.ocsp_update.mode : o2;