From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 4 Jun 2026 16:43:12 +0000 (+0200)
Subject: BUG/MEDIUM: check: Skip tcpcheck post-config for external checks
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=6a7b27a0a4ec72bea959e5950085725332926c7b;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: check: Skip tcpcheck post-config for external checks

When an external check was configured on a backend, the tcpcheck post config
for backend's servers was still performed instead to be skipped. The led to
a NULL-deref on the tcpcheck ruleset pointer and so to a segfault.

It seems to be only an issue for the 3.4 and higher. However, for older
versions, the tcpcheck post-config is still performed for external checks
and it is not really clean. This can hide some bugs.

For the 3.4, a workaround consists in configuring the backend to use a
tcp-check before configuring the external check:

  backend be
    option tcp-check
    option external-check
    ...

This patch should fix the issue #3407. It could be good to backport it to
all supported versions.
---

diff --git a/src/check.c b/src/check.c
index 01c3d2132..be9794680 100644
--- a/src/check.c
+++ b/src/check.c
@@ -1799,6 +1799,9 @@ int init_srv_check(struct server *srv)
 	if (!srv->do_check || !(srv->proxy->cap & PR_CAP_BE))
 		goto out;
 
+	if ((srv->proxy->options2 & PR_O2_CHK_ANY) != PR_O2_TCPCHK_CHK)
+		goto init;
+
 	check_type = srv->check.tcpcheck->rs->flags & TCPCHK_RULES_PROTO_CHK;
 
 	if (!(srv->flags & SRV_F_DYNAMIC)) {