From: Willy Tarreau <w@1wt.eu>
Date: Sun, 26 Apr 2026 21:56:00 +0000 (+0200)
Subject: BUG/MINOR: sample: fix NULL strm dereference in sample_conv_when
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=25c8d7b09428c02a336049cfa64d7fada4135fc4;p=thirdparty%2Fhaproxy.git

BUG/MINOR: sample: fix NULL strm dereference in sample_conv_when

Several cases in sample_conv_when (FORWARDED, TOAPPLET, PROCESSED, ACL)
access smp->strm->scb without checking if strm is NULL. The strm field
may be NULL (e.g., tcp-request connection). Let's add NULL checks to
prevent dereferencing a NULL pointer.

This should be backported to 3.1.
---

diff --git a/src/sample.c b/src/sample.c
index 154adbde8..24891d457 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -4028,20 +4028,20 @@ static int sample_conv_when(const struct arg *arg_p, struct sample *smp, void *p
 		break;
 
 	case WHEN_COND_FORWARDED: // true if forwarded to a connection
-		ret = !!sc_conn(smp->strm->scb);
+		ret = strm && !!sc_conn(strm->scb);
 		break;
 
 	case WHEN_COND_TOAPPLET:  // true if handled as an applet
-		ret = !!sc_appctx(smp->strm->scb);
+		ret = strm && !!sc_appctx(strm->scb);
 		break;
 
 	case WHEN_COND_PROCESSED: // true if forwarded or appctx
-		ret = sc_conn(smp->strm->scb) || sc_appctx(smp->strm->scb);
+		ret = strm && (sc_conn(strm->scb) || sc_appctx(strm->scb));
 		break;
 
 	case WHEN_COND_ACL: // true if the ACL pointed to by args[2] evaluates to true
 		acl_sample = arg_p[2].data.ptr;
-		ret = acl_exec_cond(&acl_sample->cond, smp->px, smp->sess, smp->strm, smp->opt) == ACL_TEST_PASS;
+		ret = acl_exec_cond(&acl_sample->cond, smp->px, smp->sess, strm, smp->opt) == ACL_TEST_PASS;
 		break;
 	}