From: Amaury Denoyelle Date: Thu, 11 Apr 2024 09:05:02 +0000 (+0200) Subject: BUG/MINOR: guid: fix crash on invalid guid name X-Git-Tag: v3.0-dev8~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=32b9e97f9207c2d57dee1d6842f7b9ee52fb3c76;p=thirdparty%2Fhaproxy.git BUG/MINOR: guid: fix crash on invalid guid name Using an invalid GUID for guid_insert() causes a crash. This is easily reproducible using for example an invalid character with "guid" keyword. Here is the provided backtrace : Thread 1 "haproxy" received signal SIGSEGV, Segmentation fault. 0x00005555561fda95 in guid_insert (objt=0x520000002080, uid=0x519000002dac "@foo2", errmsg=0x7ffff4c0a7a0) at src/guid.c:83 83 ha_free(&guid->node.key); This error is present in guid_insert() cleanup parts. GUID node is not allocated in case of an early error so it's impossible to dereference it to free guid.node.key. Fix this simply by using an intermediary pointer key. This does not need to be backported. --- diff --git a/src/guid.c b/src/guid.c index 1f56ec9ba8..d3773d4a45 100644 --- a/src/guid.c +++ b/src/guid.c @@ -28,6 +28,7 @@ int guid_insert(enum obj_type *objt, const char *uid, char **errmsg) struct guid_node *guid = NULL; struct guid_node *dup; struct ebpt_node *node; + char *key = NULL; char *dup_name = NULL; const char *c; @@ -61,12 +62,13 @@ int guid_insert(enum obj_type *objt, const char *uid, char **errmsg) return 0; } - guid->node.key = strdup(uid); - if (!guid->node.key) { + key = strdup(uid); + if (!key) { memprintf(errmsg, "key alloc failure"); goto err; } + guid->node.key = key; node = ebis_insert(&guid_tree, &guid->node); if (node != &guid->node) { dup = ebpt_entry(node, struct guid_node, node); @@ -79,8 +81,7 @@ int guid_insert(enum obj_type *objt, const char *uid, char **errmsg) return 0; err: - ALREADY_CHECKED(guid); - ha_free(&guid->node.key); + ha_free(&key); ha_free(&dup_name); return 1; }