Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CID 1645071 src/http_fetch.c null pointer derefenrce suspected by coverity #3280

New issue
New issue
Open
Open
CID 1645071 src/http_fetch.c null pointer derefenrce suspected by coverity#3280
Labels
type: code-reportThis issue describes a code report (like valgrind or coverity)
@chipitsine

Description

@chipitsine
chipitsine
opened on Feb 22, 2026

Tool Name and Version

coverity

Code Report

first detected on 19 Feb 2026
reported for the first time

622static int smp_fetch_body(const struct arg *args, struct sample *smp, const char *kw, void *private)
623{
624        /* possible keywords: req.body, res.body */
625        struct channel *chn = ((kw[2] == 'q') ? SMP_REQ_CHN(smp) : SMP_RES_CHN(smp));
626        struct check *check = ((kw[2] == 's') ? objt_check(smp->sess->origin) : NULL);
627        struct htx *htx = smp_prefetch_htx(smp, chn, check, 1);
628        struct buffer *chk = NULL;
629        struct ist body = IST_NULL;
630        int32_t pos;
631        int finished = 0;
632
     	1. Condition !htx, taking false branch.
633        if (!htx)
634                return 0;
635
     	2. Condition htx->flags & (12U /* 4 | 8 */), taking true branch.
636        if ((htx->flags & (HTX_FL_FRAGMENTED|HTX_FL_UNORDERED)) || htx_space_wraps(htx))
637                htx_defrag(htx, NULL, 0);
638
     	3. Condition pos != -1, taking true branch.
639        for (pos = htx_get_first(htx); pos != -1; pos = htx_get_next(htx, pos)) {
640                struct htx_blk *blk = htx_get_blk(htx, pos);
641                enum htx_blk_type type = htx_get_blk_type(blk);
642
     	4. Condition type == HTX_BLK_TLR, taking false branch.
     	5. Condition type == HTX_BLK_EOT, taking false branch.
643                if (type == HTX_BLK_TLR || type == HTX_BLK_EOT) {
644                        finished = 1;
645                        break;
646                }
     	6. Condition type == HTX_BLK_DATA, taking true branch.
647                if (type == HTX_BLK_DATA) {
     	7. Condition isttest(body), taking true branch.
648                        if (isttest(body)) {
649                                /* More than one DATA block we must use a trash */
     	8. Condition !chk, taking true branch.
650                                if (!chk) {
651                                        smp->flags &= ~SMP_F_CONST;
     	9. returned_null: get_trash_chunk_sz returns NULL (checked 15 out of 18 times).[show details]
     	10. var_assigned: Assigning: chk = NULL return value from get_trash_chunk_sz.
652                                        chk = get_trash_chunk_sz(htx->data);
     	
CID 1645071: (#1 of 1): Dereference null return value (NULL_RETURNS)
11. dereference: Dereferencing a pointer that might be NULL chk when calling chunk_istcat.[show details]
653                                        chunk_istcat(chk, body);
654                                }

Additional Information

No response

Output of haproxy -vv

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: code-reportThis issue describes a code report (like valgrind or coverity)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions