From bfe5a2c3d7e89f2beac14d5f8f5fca54c6642c11 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 6 Mar 2026 08:59:01 +0100
Subject: [PATCH] BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking
 EVP_Digest* failures

In sample_conv_sha2(), calls to EVP_Digest* can fail. So we must check
return value of each call and report a error on failure and release the
digest context.

This patch should fix the issue #3274. It should be backported as far as
2.6.
---
 src/ssl_sample.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 5a3783a73..b2740f309 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -147,9 +147,14 @@ static int sample_conv_sha2(const struct arg *arg_p, struct sample *smp, void *p
 	mdctx = EVP_MD_CTX_new();
 	if (!mdctx)
 		return 0;
-	EVP_DigestInit_ex(mdctx, evp, NULL);
-	EVP_DigestUpdate(mdctx, smp->data.u.str.area, smp->data.u.str.data);
-	EVP_DigestFinal_ex(mdctx, (unsigned char*)trash->area, &digest_length);
+
+	if (!EVP_DigestInit_ex(mdctx, evp, NULL) ||
+	    !EVP_DigestUpdate(mdctx, smp->data.u.str.area, smp->data.u.str.data) ||
+	    !EVP_DigestFinal_ex(mdctx, (unsigned char*)trash->area, &digest_length)) {
+		EVP_MD_CTX_free(mdctx);
+		return 0;
+	}
+
 	trash->data = digest_length;
 
 	EVP_MD_CTX_free(mdctx);