From 857095c1213a24e9a48dc2e2ce05e3b01a3bc049 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 16 Nov 2022 18:56:34 +0100
Subject: [PATCH] BUG/MEDIUM: ring: fix creation of server in uninitialized
 ring

If a "ring" section initialization fails (e.g. due to a duplicate name,
invalid chars, or missing memory), any subsequent "server" statement that
appears in the same section will crash the config parser by dereferencing
the currently NULL cfg_sink. E.g:

    ring x
    ring x                 # fails on "already exists"
       server srv 1.1.1.1  # crashes on cfg_sink==NULL

All other statements have a test for this but "server" was missing it,
so this patch adds it.

Thanks to Joel Hutchinson for reporting this issue.

This must be backported as far as 2.2.

(cherry picked from commit 1b662aabbfa32fb6ddeff4ff5f0e3031f12dafd3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/sink.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/sink.c b/src/sink.c
index de1e9cfbf..ef3d0f0f2 100644
--- a/src/sink.c
+++ b/src/sink.c
@@ -954,6 +954,12 @@ int cfg_parse_ring(const char *file, int linenum, char **args, int kwm)
 		cfg_sink->ctx.ring = ring_make_from_area(area, size);
 	}
 	else if (strcmp(args[0],"server") == 0) {
+		if (!cfg_sink || (cfg_sink->type != SINK_TYPE_BUFFER)) {
+			ha_alert("parsing [%s:%d] : unable to create server '%s'.\n", file, linenum, args[1]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto err;
+		}
+
 		err_code |= parse_server(file, linenum, args, cfg_sink->forward_px, NULL,
 		                         SRV_PARSE_PARSE_ADDR|SRV_PARSE_INITIAL_RESOLVE);
 	}