From: Aurelien DARRAGON Date: Tue, 22 Aug 2023 09:03:06 +0000 (+0200) Subject: BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage X-Git-Tag: v2.9-dev4~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee1891ccbe1d0e614985d30b83036567bcc3784e;p=thirdparty%2Fhaproxy.git BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage As reported by Coverity in GH #2253, stktable_data_ptr() usage in hlua_stktable_dump() func is potentially unsafe because stktable_data_ptr() may return NULL and the returned value is dereferenced as-is without precautions. In practise, this should not happen because some error checking was already performed prior to calling stktable_data_ptr(). But since we're using the safe stktable_data_ptr() function, all the error checking is already done within the function, thus all we need to do is check ptr against NULL instead to protect against NULL dereferences. This should be backported in every stable versions. --- diff --git a/src/hlua_fcn.c b/src/hlua_fcn.c index 091a23e6fb..9937082138 100644 --- a/src/hlua_fcn.c +++ b/src/hlua_fcn.c @@ -859,12 +859,12 @@ static void hlua_stktable_entry(lua_State *L, struct stktable *t, struct stksess for (dt = 0; dt < STKTABLE_DATA_TYPES; dt++) { - if (t->data_ofs[dt] == 0) + ptr = stktable_data_ptr(t, ts, dt); + if (!ptr) continue; lua_pushstring(L, stktable_data_types[dt].name); - ptr = stktable_data_ptr(t, ts, dt); switch (stktable_data_types[dt].std_type) { case STD_T_SINT: lua_pushinteger(L, stktable_data_cast(ptr, std_t_sint)); @@ -1056,10 +1056,9 @@ int hlua_stktable_dump(lua_State *L) /* multi condition/value filter */ skip_entry = 0; for (i = 0; i < filter_count; i++) { - if (t->data_ofs[filter[i].type] == 0) - continue; - ptr = stktable_data_ptr(t, ts, filter[i].type); + if (!ptr) + continue; switch (stktable_data_types[filter[i].type].std_type) { case STD_T_SINT: