From 49f6f4b1a7895b8906c2ee5a183f013db00fcaf0 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.com>
Date: Wed, 25 May 2022 10:12:07 +0200
Subject: [PATCH] BUG/MEDIUM: peers: fix segfault using multiple bind on peers
 sections

If multiple "bind" lines were present on the "peers" section, multiple
listeners were added to a list but the code mistakenly initialize
the first member and this first listener was re-configured instead of
the newly created one. The last one remains uninitialized causing a null
dereference a soon a connection is received.

In addition, the 'peers' sections and protocol are not currently designed to
handle multiple listeners.

This patch check if there is already a listener configured on the 'peers'
section when we want to create a new one. This is rising an error if
a listener is already present showing the file and line in the error
message.

To keep the file and line number of the previous listener available
for the error message, the 'bind_conf_uniq_alloc' function was modified
to keep the file/line data the struct 'bind_conf' was firstly
allocated (previously it was updated each time the 'bind_conf' was
reused).

This patch should be backported until version 2.0
---
 src/cfgparse.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 40c5a16e1..52bf2ffdd 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -615,9 +615,10 @@ static struct bind_conf *bind_conf_uniq_alloc(struct proxy *p,
 
 	if (!LIST_ISEMPTY(&p->conf.bind)) {
 		bind_conf = LIST_ELEM((&p->conf.bind)->n, typeof(bind_conf), by_fe);
-		free(bind_conf->file);
-		bind_conf->file = strdup(file);
-		bind_conf->line = line;
+		/*
+		 * We keep bind_conf->file and bind_conf->line unchanged
+		 * to make them available for error messages
+		 */
 		if (arg) {
 			free(bind_conf->arg);
 			bind_conf->arg = strdup(arg);
@@ -712,6 +713,11 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
 				goto out;
 			}
 
+			if (!LIST_ISEMPTY(&bind_conf->listeners)) {
+				ha_alert("parsing [%s:%d] : One listener per \"peers\" section is authorized but another is already configured at [%s:%d].\n", file, linenum, bind_conf->file, bind_conf->line);
+				err_code |= ERR_FATAL;
+			}
+
 			if (!str2listener(args[1], curpeers->peers_fe, bind_conf, file, linenum, &errmsg)) {
 				if (errmsg && *errmsg) {
 					indent_msg(&errmsg, 2);
@@ -910,6 +916,11 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
 
 		bind_conf = bind_conf_uniq_alloc(curpeers->peers_fe, file, linenum, args[2], xprt_get(XPRT_RAW));
 
+		if (!LIST_ISEMPTY(&bind_conf->listeners)) {
+			ha_alert("parsing [%s:%d] : One listener per \"peers\" section is authorized but another is already configured at [%s:%d].\n", file, linenum, bind_conf->file, bind_conf->line);
+			err_code |= ERR_FATAL;
+		}
+
 		if (!str2listener(args[2], curpeers->peers_fe, bind_conf, file, linenum, &errmsg)) {
 			if (errmsg && *errmsg) {
 				indent_msg(&errmsg, 2);