BUG/MINOR: backend: do not call smp_make_safe for sni conn hash

conn_hash_prehash does not need a nul-terminated string, thus it is only needed to test if the sni sample is not null before using it as connection hash input. Moreover, a bug could be introduced between smp_make_safe and ssl_sock_set_servername call. Indeed, smp_make_safe may call smp_dup which duplicates the sample in the trash buffer. If another function manipulates the trash buffer before the call to ssl_sock_set_servername, the sni sample might be erased. Currently, no function seems to do that except make_proxy_line in case proxy protocol is used simultaneously with the sni on the server. This does not need to be backported.
2025-01-20 20:50:44 +00:00 · 2021-02-17 15:59:02 +01:00 · 2021-02-17 15:59:02 +01:00 · 4c09800b76
commit 4c09800b76
parent ffcd290ddd
1 changed files with 6 additions and 1 deletions
--- a/src/backend.c
+++ b/src/backend.c
@ -1289,7 +1289,12 @@ int connect_server(struct stream *s)
 		sni_smp = sample_fetch_as_type(s->be, s->sess, s,
 		                               SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
 		                               srv->ssl_ctx.sni, SMP_T_STR);
-		if (smp_make_safe(sni_smp)) {
+
+		/* only test if the sample is not null as smp_make_safe (called
+		 * before ssl_sock_set_servername) can only fails if this is
+		 * not the case
+		 */
+		if (sni_smp) {
 			sni_hash = conn_hash_prehash(sni_smp->data.u.str.area,
 			                             sni_smp->data.u.str.data);
 			hash_params.sni_prehash = &sni_hash;