From: Willy Tarreau Date: Tue, 16 Sep 2025 09:49:01 +0000 (+0200) Subject: BUG/MEDIUM: pattern: fix possible infinite loops on deletion X-Git-Tag: v3.3-dev9~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=359a829ccb8693e0b29808acc0fa7975735c0353;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: pattern: fix possible infinite loops on deletion Commit e36b3b60b3 ("MEDIUM: migrate the patterns reference to cebs_tree") changed the construction of the loops used to look up matching nodes, and since we don't need two elements anymore, the "continue" statement now loops on the same element when deleting. Let's fix this to make sure it passes through the next one. No backport is needed, this is only 3.3. --- diff --git a/src/pattern.c b/src/pattern.c index 997184139..c740dbe8a 100644 --- a/src/pattern.c +++ b/src/pattern.c @@ -1626,18 +1626,16 @@ int pat_ref_delete_by_id(struct pat_ref *ref, struct pat_ref_elt *refelt) */ int pat_ref_gen_delete(struct pat_ref *ref, unsigned int gen_id, const char *key) { - struct pat_ref_elt *elt, *next; + struct pat_ref_elt *elt; int found = 0; /* delete pattern from reference */ - elt = cebs_item_lookup(&ref->ceb_root, node, pattern, key, struct pat_ref_elt); - while (elt) { + for (elt = cebs_item_lookup(&ref->ceb_root, node, pattern, key, struct pat_ref_elt); + elt; elt = cebs_item_next_dup(&ref->ceb_root, node, pattern, elt)) { if (elt->gen_id != gen_id) continue; - next = cebs_item_next_dup(&ref->ceb_root, node, pattern, elt); pat_ref_delete_by_ptr(ref, elt); found = 1; - elt = next; } if (found) @@ -1797,7 +1795,7 @@ static int pat_ref_set_from_elt(struct pat_ref *ref, struct pat_ref_elt *elt, co gen = elt->gen_id; else if (elt->gen_id != gen) { /* only consider duplicate elements from the same gen! */ - continue; + goto skip; } if (!pat_ref_set_elt(ref, elt, value, &tmp_err)) { @@ -1809,6 +1807,7 @@ static int pat_ref_set_from_elt(struct pat_ref *ref, struct pat_ref_elt *elt, co } found = 1; first = 0; + skip: elt = cebs_item_next_dup(&ref->ceb_root, node, pattern, elt); }