From bf04e64f2cd47e2f2ff3376d7313956dc8e9dee0 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 3 Apr 2026 08:56:54 +0200 Subject: [PATCH] BUG/MINOR: cfgcond: always set the error string on openssl_version checks Using openssl_version_before() with an invalid argument results in "(null)" appearing in the error message due to -1 being returned without the error message being filled. Let's always fill the error message on error. This was introduced in 2.5 with commit 3aeb3f9347 ("MINOR: cfgcond: implements openssl_version_atleast and openssl_version_before"), and this fix must be backported to 2.6. --- src/cfgcond.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/cfgcond.c b/src/cfgcond.c index 07fe9c8fc..9eebada3a 100644 --- a/src/cfgcond.c +++ b/src/cfgcond.c @@ -272,8 +272,10 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err) case CFG_PRED_OSSL_VERSION_ATLEAST: { // checks if the current openssl version is at least this one int opensslret = openssl_compare_current_version(term->args[0].data.str.area); - if (opensslret < -1) /* can't parse the string or no openssl available */ + if (opensslret < -1) { /* can't parse the string or no openssl available */ + memprintf(err, "invalid argument to conditional expression predicate '%s': '%s'", term->pred->word, term->args[0].data.str.area); ret = -1; + } else ret = opensslret <= 0; break; @@ -281,8 +283,10 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err) case CFG_PRED_OSSL_VERSION_BEFORE: { // checks if the current openssl version is older than this one int opensslret = openssl_compare_current_version(term->args[0].data.str.area); - if (opensslret < -1) /* can't parse the string or no openssl available */ + if (opensslret < -1) { /* can't parse the string or no openssl available */ + memprintf(err, "invalid argument to conditional expression predicate '%s': '%s'", term->pred->word, term->args[0].data.str.area); ret = -1; + } else ret = opensslret > 0; break;