From: Dragan Dosen <ddosen@haproxy.com>
Date: Mon, 4 May 2020 07:07:28 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
X-Git-Tag: v2.1.5~29
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=1028e256e249bc75893b108154fc499ab1b5f825;p=haproxy-2.1.git

BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()

After we call SSL_SESSION_get_id(), the length of the id in bytes is
stored in "len", which was never checked. This could cause unexpected
behavior when using the "ssl_fc_session_id" or "ssl_bc_session_id"
fetchers (eg. the result can be an empty value).

The issue was introduced with commit 105599c ("BUG/MEDIUM: ssl: fix
several bad pointer aliases in a few sample fetch functions").

This patch must be backported to 2.1, 2.0, and 1.9.

(cherry picked from commit f35d69e7fc13aab89afcf394c5b96133d3060c1a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 82f40cc..6bbb1a3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8005,7 +8005,7 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
 		return 0;
 
 	smp->data.u.str.area = (char *)SSL_SESSION_get_id(ssl_sess, &len);
-	if (!smp->data.u.str.area || !smp->data.u.str.data)
+	if (!smp->data.u.str.area || !len)
 		return 0;
 
 	smp->data.u.str.data = len;