From e0844a305c623ac672f9a30e9d62dc3a0f7df61b Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 10 Sep 2025 10:31:08 +0200
Subject: [PATCH] BUG/MINOR: ssl: Fix potential NULL deref in trace callback

'conn' might be NULL in the trace callback so the calls to
conn_err_code_str must be covered by a proper check.

This issue was found by Coverity and raised in GitHub #3112.
The patch must be backported to 3.2.
---
 src/ssl_trace.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/ssl_trace.c b/src/ssl_trace.c
index cc7b87042..ae5a07233 100644
--- a/src/ssl_trace.c
+++ b/src/ssl_trace.c
@@ -84,6 +84,7 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
                       const struct ist where, const struct ist func,
                       const void *a1, const void *a2, const void *a3, const void *a4)
 {
+	const char *errstr = NULL;
 	struct connection *conn = (struct connection*)a1;
 
 	if (src->verbosity <= SSL_VERB_CLEAN)
@@ -93,6 +94,8 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
 		struct proxy *px = conn_get_proxy(conn);
 		chunk_appendf(&trace_buf, " : [%c(%s)] conn=%p(0x%08x)", conn_is_back(conn) ? 'B' : 'F',
 			      px ? px->id : "", conn, conn->flags);
+
+		errstr = conn_err_code_str(conn);
 	}
 
 	if (src->verbosity <= SSL_VERB_MINIMAL)
@@ -150,7 +153,7 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
 			 * error we had. */
 			if (a3) {
 				const unsigned int *err_code = a3;
-				chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, conn_err_code_str(conn));
+				chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, errstr);
 			}
 
 			if (a4) {
@@ -165,7 +168,7 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
 		if (mask & SSL_EV_CONN_ERR) {
 			if (a3) {
 				const unsigned int *err_code = a3;
-				chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, conn_err_code_str(conn));
+				chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, errstr);
 			}
 			if (a4) {
 				const unsigned int *ssl_err_code = a4;
@@ -186,7 +189,7 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
 		if (mask & SSL_EV_CONN_ERR) {
 			if (a3) {
 				const unsigned int *err_code = a3;
-				chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, conn_err_code_str(conn));
+				chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, errstr);
 			}
 		} else if (src->verbosity > SSL_VERB_SIMPLE) {
 			if (a3) {