From: Willy Tarreau Date: Tue, 12 Apr 2022 05:40:42 +0000 (+0200) Subject: MINOR: ssl: refine the error testing for fc_err and fc_err_str X-Git-Tag: v2.6-dev6~122 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ce7a5e0967b09c8ac9b0078cc647ee0074be34f1;p=thirdparty%2Fhaproxy.git MINOR: ssl: refine the error testing for fc_err and fc_err_str In issue #1645, coverity suspects some dead code due to a pair of remaining tests on "if (!ctx)". While all other functions test the context earlier, these ones used to only test the connection and the transport. It's still not very clear to me if there are certain error cases that can lead to no SSL being initially set while the rest is ready, and the SSL arriving later, but better preserve this original construct by testing first the connection and only later the context. --- diff --git a/src/ssl_sample.c b/src/ssl_sample.c index fe2817baee..437952619c 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -1655,8 +1655,7 @@ smp_fetch_ssl_fc_err(const struct arg *args, struct sample *smp, const char *kw, conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(smp->strm->csb) : NULL; - ctx = conn_get_ssl_sock_ctx(conn); - if (!ctx) + if (!conn) return 0; if (conn->flags & CO_FL_WAIT_XPRT && !conn->err_code) { @@ -1664,6 +1663,7 @@ smp_fetch_ssl_fc_err(const struct arg *args, struct sample *smp, const char *kw, return 0; } + ctx = conn_get_ssl_sock_ctx(conn); if (!ctx) return 0; @@ -1708,8 +1708,7 @@ smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : smp->strm ? cs_conn(smp->strm->csb) : NULL; - ctx = conn_get_ssl_sock_ctx(conn); - if (!ctx) + if (!conn) return 0; if (conn->flags & CO_FL_WAIT_XPRT && !conn->err_code) { @@ -1717,6 +1716,7 @@ smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char return 0; } + ctx = conn_get_ssl_sock_ctx(conn); if (!ctx || !ctx->error_code) return 0;