From: Willy Tarreau Date: Sat, 17 Jul 2021 16:36:43 +0000 (+0200) Subject: BUG/MINOR: arg: free all args on make_arg_list()'s error path X-Git-Tag: v2.5-dev3~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69a23ae0917750329fa5e6072f5cb9b68b949bdd;p=thirdparty%2Fhaproxy.git BUG/MINOR: arg: free all args on make_arg_list()'s error path While we do free the array containing the arguments, we do not free allocated ones. Most of them are unresolved, but strings are allocated and have to be freed as well. Note that for the sake of not breaking the args resolution list that might have been set, we still refrain from doing this if a resolution was already programmed, but for most common cases (including the ones that can be found in config conditions and at run time) we're safe. This may be backported to stable branches, but it relies on the new free_args() function that was introduced by commit ab213a5b6 ("MINOR: arg: add a free_args() function to free an args array"), and which is likely safe to backport as well. This leak was reported by oss-fuzz (issue 36265). --- diff --git a/src/arg.c b/src/arg.c index be27c457cf..140fbeff9c 100644 --- a/src/arg.c +++ b/src/arg.c @@ -394,6 +394,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp, /* only free the arg area if we have not queued unresolved args * still pointing to it. */ + free_args(*argp); free(*argp); } *argp = NULL;