From: Willy Tarreau <w@1wt.eu>
Date: Sun, 14 Aug 2016 10:02:55 +0000 (+0200)
Subject: BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table
X-Git-Tag: v1.7-dev4~4
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=4d03ef7f0319c5f73cbcb1d5c3025923226a1536;p=haproxy-2.5.git

BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table

Bryan Talbot reported a very interesting bug. The sc_trackers() sample
fetch seems to have escaped the sanitization that was performed during 1.5
to ensure all dereferences of stkctr_entry() were safe. Here if a tacker
is set on a backend and is then checked against a different backend where
the entry doesn't exist, stkctr_entry() returns NULL and this is dereferenced
to retrieve the ref count. Thanks to Bryan for his detailed bug report featuring
a working config and reproducer.

This fix must be backported to 1.6 and 1.5.
---

diff --git a/src/stream.c b/src/stream.c
index 172d78c..3eb5265 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -3262,7 +3262,7 @@ smp_fetch_sc_trackers(const struct arg *args, struct sample *smp, const char *kw
 
 	smp->flags = SMP_F_VOL_TEST;
 	smp->data.type = SMP_T_SINT;
-	smp->data.u.sint = stkctr_entry(stkctr)->ref_cnt;
+	smp->data.u.sint = stkctr_entry(stkctr) ? stkctr_entry(stkctr)->ref_cnt : 0;
 	return 1;
 }