From 4d03ef7f0319c5f73cbcb1d5c3025923226a1536 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sun, 14 Aug 2016 12:02:55 +0200 Subject: [PATCH] BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table Bryan Talbot reported a very interesting bug. The sc_trackers() sample fetch seems to have escaped the sanitization that was performed during 1.5 to ensure all dereferences of stkctr_entry() were safe. Here if a tacker is set on a backend and is then checked against a different backend where the entry doesn't exist, stkctr_entry() returns NULL and this is dereferenced to retrieve the ref count. Thanks to Bryan for his detailed bug report featuring a working config and reproducer. This fix must be backported to 1.6 and 1.5. --- src/stream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stream.c b/src/stream.c index 172d78c868..3eb5265db4 100644 --- a/src/stream.c +++ b/src/stream.c @@ -3262,7 +3262,7 @@ smp_fetch_sc_trackers(const struct arg *args, struct sample *smp, const char *kw smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; - smp->data.u.sint = stkctr_entry(stkctr)->ref_cnt; + smp->data.u.sint = stkctr_entry(stkctr) ? stkctr_entry(stkctr)->ref_cnt : 0; return 1; }