commit 11389018bc92bf7b94533e682af5cb4bbf0e43d9
author Christopher Faulet <cfaulet@haproxy.com> Thu Feb 07 16:13:26 2019 +0100
committer Christopher Faulet <cfaulet@haproxy.com> Thu Feb 07 21:23:58 2019 +0100
tree 4e7d1d6f8fb775dbc7364fc65d34cb10b145f2df
parent ff9c9140f4da4f14bef8c9a5955f9453d0f26c60

BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck

During SPOP healthchecks, a dummy appctx is used to create the HAPROXY-HELLO
frame and then to parse the AGENT-HELLO frame. No agent are attached to it. So
it is important to not rely on an agent during these stages. When HAPROXY-HELLO
frame is created, there is no problem, all accesses to an agent are
guarded. This is not true during the parsing of the AGENT-HELLO frame. Thus, it
is possible to crash HAProxy with a SPOA declaring the async or the pipelining
capability during a healthcheck.

This patch must be backported to 1.9 and 1.8.

src/flt_spoe.c

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 0f7a21a..1a1194f 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -825,10 +825,14 @@
 		SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_NO_FRAME_SIZE;
 		return -1;
 	}
-	if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING))
-		flags &= ~SPOE_APPCTX_FL_PIPELINING;
-	if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC))
-		flags &= ~SPOE_APPCTX_FL_ASYNC;
+	if (!agent)
+		flags &= ~(SPOE_APPCTX_FL_PIPELINING|SPOE_APPCTX_FL_ASYNC);
+	else {
+		if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING))
+			flags &= ~SPOE_APPCTX_FL_PIPELINING;
+		if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC))
+			flags &= ~SPOE_APPCTX_FL_ASYNC;
+	}
 
 	SPOE_APPCTX(appctx)->version        = (unsigned int)vsn;
 	SPOE_APPCTX(appctx)->max_frame_size = (unsigned int)max_frame_size;