From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 6 Mar 2026 07:59:01 +0000 (+0100)
Subject: BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures
X-Git-Tag: v3.4-dev7~129
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bfe5a2c3d7e89f2beac14d5f8f5fca54c6642c11;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures

In sample_conv_sha2(), calls to EVP_Digest* can fail. So we must check
return value of each call and report a error on failure and release the
digest context.

This patch should fix the issue #3274. It should be backported as far as
2.6.
---

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 5a3783a73..b2740f309 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -147,9 +147,14 @@ static int sample_conv_sha2(const struct arg *arg_p, struct sample *smp, void *p
 	mdctx = EVP_MD_CTX_new();
 	if (!mdctx)
 		return 0;
-	EVP_DigestInit_ex(mdctx, evp, NULL);
-	EVP_DigestUpdate(mdctx, smp->data.u.str.area, smp->data.u.str.data);
-	EVP_DigestFinal_ex(mdctx, (unsigned char*)trash->area, &digest_length);
+
+	if (!EVP_DigestInit_ex(mdctx, evp, NULL) ||
+	    !EVP_DigestUpdate(mdctx, smp->data.u.str.area, smp->data.u.str.data) ||
+	    !EVP_DigestFinal_ex(mdctx, (unsigned char*)trash->area, &digest_length)) {
+		EVP_MD_CTX_free(mdctx);
+		return 0;
+	}
+
 	trash->data = digest_length;
 
 	EVP_MD_CTX_free(mdctx);