BUG/MINOR: startup: fix UAF when set the default for log_tag

In the init_early() global.log_tag is initialized to the string from progname
pointer and global.log_tag.area points to this pointer.

If log-tag keyword is provided in the configuration, its parser at first frees
global.log_tag.area and then it does a new memory allocation to copy
there the argument of log-tag. So, progname no longer points to the valid
memory.

To fix this, let's always keep progname and global.log_tag.area at separate
memory areas. If log_tag will be redefined in the configuration, its parser will
free the memory allocated for the default value in chunk_destroy(). Memory
allocated for progname will be freed in deinit().

This should not be backported as related to the latest master-worker
refactoring.

diff --git a/src/haproxy.c b/src/haproxy.c
index 063ec5cb98d9ee292fa7cf2381494dabd67cf95c..6079b9d1b7ca540f88159c436c3b798b239a09c8 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1592,7 +1592,7 @@ static void init_early(int argc, char **argv)
                exit(EXIT_FAILURE);
        }
 
-       chunk_initlen(&global.log_tag, progname, len, len);
+       chunk_initlen(&global.log_tag, strdup(progname), len, len);
 }
 
 /* handles program arguments. Very minimal parsing is performed, variables are