From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Thu, 7 Aug 2025 11:04:26 +0000 (+0200)
Subject: BUG/MINOR: proxy: avoid NULL-deref in post_section_px_cleanup()
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=3759172015de8873be66098f76eef83447f8255c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: proxy: avoid NULL-deref in post_section_px_cleanup()

post_section_px_cleanup(), which was implemented in abcc73830
("MEDIUM: proxy: register a post-section cleanup function"), is called
for the current section no matter if the parsing was aborted due to
a fatal error. In this case, the curproxy pointer may point to NULL,
yet post_section_px_cleanup() assumes curproxy pointer is always valid,
which could lead to NULL-deref.

For instance, the config below will cause SEGFAULT:

  listen toto titi

To fix the issue, let's simply consider that the curproxy pointer may
be NULL in post_section_px_cleanup(), in which case we skip the cleanup
for the curproxy since there is nothing we can do.

No backport needed
---

diff --git a/src/proxy.c b/src/proxy.c
index e45871372..caa33be2f 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -2823,6 +2823,8 @@ void proxy_adjust_all_maxconn()
  */
 static int post_section_px_cleanup()
 {
+	if (!curproxy)
+		return 0; // nothing to do
 	if ((curproxy->cap & PR_CAP_LISTEN) && !(curproxy->cap & PR_CAP_DEF)) {
 		/* This is a regular proxy (not defaults). It doesn't need
 		 * to keep a default-server section if it still had one. We