CLEANUP: pools: move the write before free to the uaf-only function

In UAF mode, pool_put_to_os() performs a write to the about-to-be-freed
memory area so as to make sure the page is properly mapped and catch a
possible double-free. However there's no point keeping that in an ifdef
in the generic function, because we now have a pool_free_area_uaf()
that is the UAF-specific version of pool_free_area() and the one that
is called immediately after this write. Let's move the code there, it
will be cleaner.

diff --git a/src/pool.c b/src/pool.c
index 1c177cafd29bf7b95fe955901978c468bd25b368..48e51e665dc74fefdbb71b934eccd6a90886b38f 100644 (file)
--- a/src/pool.c
+++ b/src/pool.c
@@ -352,14 +352,6 @@ void *pool_get_from_os(struct pool_head *pool)
  */
 void pool_put_to_os(struct pool_head *pool, void *ptr)
 {
-#ifdef DEBUG_UAF
-       /* This object will be released for real in order to detect a use after
-        * free. We also force a write to the area to ensure we crash on double
-        * free or free of a const area.
-        */
-       *(uint32_t *)ptr = 0xDEADADD4;
-#endif /* DEBUG_UAF */
-
        pool_free_area(ptr, pool->alloc_sz);
        _HA_ATOMIC_DEC(&pool->allocated);
 }
@@ -837,6 +829,12 @@ void pool_free_area_uaf(void *area, size_t size)
 {
        size_t pad = (4096 - size) & 0xFF0;
 
+       /* This object will be released for real in order to detect a use after
+        * free. We also force a write to the area to ensure we crash on double
+        * free or free of a const area.
+        */
+       *(uint32_t *)area = 0xDEADADD4;
+
        if (pad >= sizeof(void *) && *(void **)(area - sizeof(void *)) != area)
                ABORT_NOW();