BUG/MINOR: backend: do not call smp_make_safe for sni conn hash
conn_hash_prehash does not need a nul-terminated string, thus it is only
needed to test if the sni sample is not null before using it as
connection hash input.
Moreover, a bug could be introduced between smp_make_safe and
ssl_sock_set_servername call. Indeed, smp_make_safe may call smp_dup
which duplicates the sample in the trash buffer. If another function
manipulates the trash buffer before the call to ssl_sock_set_servername,
the sni sample might be erased. Currently, no function seems to do that
except make_proxy_line in case proxy protocol is used simultaneously
with the sni on the server.
This does not need to be backported.
diff --git a/src/backend.c b/src/backend.c
index 5f6f038..e2fa3c3 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1289,7 +1289,12 @@
sni_smp = sample_fetch_as_type(s->be, s->sess, s,
SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
srv->ssl_ctx.sni, SMP_T_STR);
- if (smp_make_safe(sni_smp)) {
+
+ /* only test if the sample is not null as smp_make_safe (called
+ * before ssl_sock_set_servername) can only fails if this is
+ * not the case
+ */
+ if (sni_smp) {
sni_hash = conn_hash_prehash(sni_smp->data.u.str.area,
sni_smp->data.u.str.data);
hash_params.sni_prehash = &sni_hash;