Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / a90daf182891521fcc7c3e99ba266e6a55d4b4dd^! / .
commita90daf182891521fcc7c3e99ba266e6a55d4b4dd[log] [tgz]
authorEd Tanous <edtanous@google.com>Fri Jan 15 14:18:01 2021 -0800
committerEd Tanous <edtanous@google.com>Fri Jan 15 15:24:07 2021 -0800
treeb45e7fcf59378aca7aacbc8fe745115493919ee7
parent19a8815adc2d58d69a15f492266ae0e921816102 [diff]
Add missing nullptr check

In theory, having a sessionless websocket isn't possible.  In practice,
this did come up when an ownership issue caused UB, which is how I saw
this.

Tested:
Tested with scripts/websocket_test.py and saw sensor values streaming by
as expected.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I7cc9c9660c8207ba857e6f6f14f010eaf79b73ef

diff --git a/http/websocket.hpp b/http/websocket.hpp
index 363076e..446db1b 100644
--- a/http/websocket.hpp
+++ b/http/websocket.hpp

@@ -100,14 +100,17 @@
                 boost::beast::websocket::response_type& m) {
 
 #ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION
-                // use protocol for csrf checking
-                if (session->cookieAuth &&
-                    !crow::utility::constantTimeStringCompare(
-                        protocol, session->csrfToken))
+                if (session != nullptr)
                 {
-                    BMCWEB_LOG_ERROR << "Websocket CSRF error";
-                    m.result(boost::beast::http::status::unauthorized);
-                    return;
+                    // use protocol for csrf checking
+                    if (session->cookieAuth &&
+                        !crow::utility::constantTimeStringCompare(
+                            protocol, session->csrfToken))
+                    {
+                        BMCWEB_LOG_ERROR << "Websocket CSRF error";
+                        m.result(boost::beast::http::status::unauthorized);
+                        return;
+                    }
                 }
 #endif
                 if (!protocol.empty())