From 3608374d6dd549346066842544d521d7fa0bde37 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 3 Apr 2026 08:51:02 +0200 Subject: [PATCH] BUG/MINOR: cfgcond: properly set the error pointer on evaluation error cfg_eval_condition() says that the pointer will be set upon error. However, cfg_eval_cond_expr() can fail (e.g. failure to handle a dynamic argument) but would branch to "done" and leave errptr unset. Let's check for this case as well. This bug was reported by OSS Fuzz here: https://issues.oss-fuzz.com/issues/499135825 The bug was introduced in 2.5 around commit ca81887599 ("MINOR: cfgcond: insert an expression between the condition and the term") so the fix must be backported as far as 2.6. --- src/cfgcond.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cfgcond.c b/src/cfgcond.c index 7be2e7a47..07fe9c8fc 100644 --- a/src/cfgcond.c +++ b/src/cfgcond.c @@ -564,6 +564,8 @@ int cfg_eval_condition(char **args, char **err, const char **errptr) } ret = cfg_eval_cond_expr(expr, err); + if (ret < 0) + goto fail; goto done; }