BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table
When a lookup is done on a key not present in the stick-table the "st"
pointer is NULL and it is used to return the converter result, but it
is used untested with stktable_release().
This regression was introduced in 1.8.10 here:
BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters
commit d7bd88009d88dd413e01bc0baa90d6662a3d7718
Author: Daniel Corbett <dcorbett@haproxy.com>
Date: Sun May 27 09:47:12 2018 -0400
Minimal conf for reproducong the problem:
frontend test
mode http
stick-table type ip size 1m expire 1h store gpc0
bind *:8080
http-request redirect location /a if { src,in_table(test) }
The segfault is triggered using:
curl -i http://127.0.0.1:8080/
This patch must be backported in 1.8
diff --git a/src/stick_table.c b/src/stick_table.c
index 101a4e2..4294654 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -875,7 +875,8 @@
smp->data.type = SMP_T_BOOL;
smp->data.u.sint = !!ts;
smp->flags = SMP_F_VOL_TEST;
- stktable_release(t, ts);
+ if (ts)
+ stktable_release(t, ts);
return 1;
}