From a57786e87d0746baec43ea888bf6cd30c490d2fb Mon Sep 17 00:00:00 2001
From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Mon, 12 Sep 2022 09:26:21 +0200
Subject: [PATCH] BUG/MINOR: listener: null pointer dereference suspected by
 coverity

Please refer to GH #1859 for more info.
Coverity suspected improper proxy pointer handling.
Without the fix it is considered safe for the moment, but it might not
be the case in the future as we want to keep the ability to have
isolated listeners.

Making sure stop_listener(), pause_listener(), resume_listener()
and listener_release() functions make proper use
of px pointer in that context.

No need for backport except if multi-connection protocols (ie:FTP)
were to be backported as well.
---
 src/listener.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/listener.c b/src/listener.c
index b4b4d3d27..412af94a1 100644
--- a/src/listener.c
+++ b/src/listener.c
@@ -350,7 +350,7 @@ void stop_listener(struct listener *l, int lpx, int lpr)
 		return;
 	}
 
-	if (!lpx)
+	if (!lpx && px)
 		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
 
 	if (!lpr)
@@ -364,7 +364,8 @@ void stop_listener(struct listener *l, int lpx, int lpr)
 		if (l->state >= LI_ASSIGNED)
 			__delete_listener(l);
 
-		proxy_cond_disable(px);
+		if (px)
+			proxy_cond_disable(px);
 	}
 
 	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
@@ -372,7 +373,7 @@ void stop_listener(struct listener *l, int lpx, int lpr)
 	if (!lpr)
 		HA_SPIN_UNLOCK(PROTO_LOCK, &proto_lock);
 
-	if (!lpx)
+	if (!lpx && px)
 		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
 }
 
@@ -465,7 +466,7 @@ int pause_listener(struct listener *l, int lpx)
 	struct proxy *px = l->bind_conf->frontend;
 	int ret = 1;
 
-	if (!lpx)
+	if (!lpx && px)
 		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
 
 	HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
@@ -489,7 +490,7 @@ int pause_listener(struct listener *l, int lpx)
   end:
 	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
 
-	if (!lpx)
+	if (!lpx && px)
 		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
 
 	return ret;
@@ -514,7 +515,7 @@ int resume_listener(struct listener *l, int lpx)
 	int was_paused = px && px->li_paused;
 	int ret = 1;
 
-	if (!lpx)
+	if (!lpx && px)
 		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
 
 	HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
@@ -550,7 +551,7 @@ int resume_listener(struct listener *l, int lpx)
   end:
 	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
 
-	if (!lpx)
+	if (!lpx && px)
 		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
 
 	return ret;
@@ -1240,7 +1241,7 @@ void listener_release(struct listener *l)
 	/* Dequeues all of the listeners waiting for a resource */
 	dequeue_all_listeners();
 
-	if (!MT_LIST_ISEMPTY(&fe->listener_queue) &&
+	if (fe && !MT_LIST_ISEMPTY(&fe->listener_queue) &&
 	    (!fe->fe_sps_lim || freq_ctr_remain(&fe->fe_sess_per_sec, fe->fe_sps_lim, 0) > 0))
 		dequeue_proxy_listeners(fe);
 }