From: Willy Tarreau Date: Tue, 30 Apr 2019 09:43:43 +0000 (+0200) Subject: BUG/MAJOR: map/acl: real fix segfault during show map/acl on CLI X-Git-Tag: v2.0-dev3~149 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49ee3b2f9a9e5d0b8d394938df527aa645ce72b4;p=thirdparty%2Fhaproxy.git BUG/MAJOR: map/acl: real fix segfault during show map/acl on CLI A previous commit 8d85aa44d ("BUG/MAJOR: map: fix segfault during 'show map/acl' on cli.") was provided to address a concurrency issue between "show acl" and "clear acl" on the CLI. Sadly the code placed there was copy-pasted without changing the element type (which was struct stream in the original code) and not tested since the crash is still present. The reproducer is simple : load a large ACL file (e.g. geolocation addresses), issue "show acl #0" in loops in one window and issue a "clear acl #0" in the other one, haproxy crashes. This fix was also tested with threads enabled and looks good since the locking seems to work correctly in these areas though. It will have to be backported as far as 1.6 since the commit above went that far as well... --- diff --git a/src/pattern.c b/src/pattern.c index 93cdede116..acb78e38da 100644 --- a/src/pattern.c +++ b/src/pattern.c @@ -1652,7 +1652,7 @@ int pat_ref_delete_by_id(struct pat_ref *ref, struct pat_ref_elt *refelt) LIST_DEL(&bref->users); LIST_INIT(&bref->users); if (elt->list.n != &ref->head) - LIST_ADDQ(&LIST_ELEM(elt->list.n, struct stream *, list)->back_refs, &bref->users); + LIST_ADDQ(&LIST_ELEM(elt->list.n, typeof(elt), list)->back_refs, &bref->users); bref->ref = elt->list.n; } list_for_each_entry(expr, &ref->pat, list) @@ -1692,7 +1692,7 @@ int pat_ref_delete(struct pat_ref *ref, const char *key) LIST_DEL(&bref->users); LIST_INIT(&bref->users); if (elt->list.n != &ref->head) - LIST_ADDQ(&LIST_ELEM(elt->list.n, struct stream *, list)->back_refs, &bref->users); + LIST_ADDQ(&LIST_ELEM(elt->list.n, typeof(elt), list)->back_refs, &bref->users); bref->ref = elt->list.n; } list_for_each_entry(expr, &ref->pat, list) @@ -2087,7 +2087,7 @@ void pat_ref_reload(struct pat_ref *ref, struct pat_ref *replace) LIST_DEL(&bref->users); LIST_INIT(&bref->users); if (elt->list.n != &ref->head) - LIST_ADDQ(&LIST_ELEM(elt->list.n, struct stream *, list)->back_refs, &bref->users); + LIST_ADDQ(&LIST_ELEM(elt->list.n, typeof(elt), list)->back_refs, &bref->users); bref->ref = elt->list.n; } LIST_DEL(&elt->list); @@ -2176,7 +2176,7 @@ void pat_ref_prune(struct pat_ref *ref) LIST_DEL(&bref->users); LIST_INIT(&bref->users); if (elt->list.n != &ref->head) - LIST_ADDQ(&LIST_ELEM(elt->list.n, struct stream *, list)->back_refs, &bref->users); + LIST_ADDQ(&LIST_ELEM(elt->list.n, typeof(elt), list)->back_refs, &bref->users); bref->ref = elt->list.n; } LIST_DEL(&elt->list);