From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Thu, 21 Nov 2024 15:21:54 +0000 (+0100)
Subject: BUG/MINOR: startup: fix UAF when set the default for log_tag
X-Git-Tag: v3.1-dev14~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=351ae5dbeda32a257d2970a140747107f750fe4e;p=thirdparty%2Fhaproxy.git

BUG/MINOR: startup: fix UAF when set the default for log_tag

In the init_early() global.log_tag is initialized to the string from progname
pointer and global.log_tag.area points to this pointer.

If log-tag keyword is provided in the configuration, its parser at first frees
global.log_tag.area and then it does a new memory allocation to copy
there the argument of log-tag. So, progname no longer points to the valid
memory.

To fix this, let's always keep progname and global.log_tag.area at separate
memory areas. If log_tag will be redefined in the configuration, its parser will
free the memory allocated for the default value in chunk_destroy(). Memory
allocated for progname will be freed in deinit().

This should not be backported as related to the latest master-worker
refactoring.
---

diff --git a/src/haproxy.c b/src/haproxy.c
index 063ec5cb98..6079b9d1b7 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1592,7 +1592,7 @@ static void init_early(int argc, char **argv)
 		exit(EXIT_FAILURE);
 	}
 
-	chunk_initlen(&global.log_tag, progname, len, len);
+	chunk_initlen(&global.log_tag, strdup(progname), len, len);
 }
 
 /* handles program arguments. Very minimal parsing is performed, variables are