From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 20 Apr 2026 08:58:08 +0000 (+0200)
Subject: BUILD: ssl/sample: potential null pointer dereference in sample_conv_aes
X-Git-Tag: v3.4-dev10~140
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=95e9629530e07682ffd061e92e0e51506e4b3f70;p=haproxy.git

BUILD: ssl/sample: potential null pointer dereference in sample_conv_aes

gcc flags aead_tag_trash as potentially NULL at the chunk_memcpy call
inside the (!dec && gcm) block, because it cannot correlate the
condition with the allocation that only happens in that same branch. Add
an explicit NULL check to silence the warning.

This was caught by cross-zoo.yml:

In file included from include/haproxy/connection.h:28,
                 from src/ssl_sample.c:27:
In function ‘b_orig’,
    inlined from ‘sample_conv_aes’ at src/ssl_sample.c:540:23:
include/haproxy/buf.h:80:17: error: potential null pointer dereference [-Werror=null-dereference]
   80 |         return b->area;
      |                ~^~~~~~
In function ‘b_data’,
    inlined from ‘sample_conv_aes’ at src/ssl_sample.c:540:3:
include/haproxy/buf.h:100:17: error: potential null pointer dereference [-Werror=null-dereference]
  100 |         return b->data;
      |                ~^~~~~~
---

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 35850c29e..7c10e43be 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -537,6 +537,9 @@ static int sample_conv_aes(const struct arg *arg_p, struct sample *smp, void *pr
 	if (!dec && gcm) {
 		struct buffer *trash = get_trash_chunk();
 
+		if (!aead_tag_trash)
+			goto end;
+
 		chunk_memcpy(trash, b_orig(aead_tag_trash), b_data(aead_tag_trash));
 
 		aead_tag.data.u.str = *smp_trash_alloc;