From: Willy Tarreau <w@1wt.eu>
Date: Fri, 19 Nov 2010 10:29:06 +0000 (+0100)
Subject: [BUG] appsession: fix possible double free in case of out of memory
X-Git-Tag: v1.5-dev8~365
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77eb9b8a2d9a9b57b6f60c22a3d0203bbd7a936d;p=thirdparty%2Fhaproxy.git

[BUG] appsession: fix possible double free in case of out of memory

In out of memory conditions, the ->destroy function would free all
possibly allocated pools from the current appsession, including those
that were not yet allocated nor assigned, which used to point to a
previous allocation, obviously resulting in a segfault.
(cherry picked from commit 75eae485921d3a6ce197915c769673834ecbfa5c)
---

diff --git a/src/proto_http.c b/src/proto_http.c
index e06a78274e..a65a923e88 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -6900,6 +6900,8 @@ void manage_server_side_cookies(struct session *t, struct buffer *res)
 				send_log(t->be, LOG_ALERT, "Not enough Memory process_srv():asession:calloc().\n");
 				return;
 			}
+			asession->serverid = NULL; /* to avoid a double free in case of allocation error */
+
 			if ((asession->sessid = pool_alloc2(apools.sessid)) == NULL) {
 				Alert("Not enough Memory process_srv():asession->sessid:malloc().\n");
 				send_log(t->be, LOG_ALERT, "Not enough Memory process_srv():asession->sessid:malloc().\n");
@@ -6911,7 +6913,7 @@ void manage_server_side_cookies(struct session *t, struct buffer *res)
 
 			server_id_len = strlen(t->srv->id) + 1;
 			if ((asession->serverid = pool_alloc2(apools.serverid)) == NULL) {
-				Alert("Not enough Memory process_srv():asession->sessid:malloc().\n");
+				Alert("Not enough Memory process_srv():asession->serverid:malloc().\n");
 				send_log(t->be, LOG_ALERT, "Not enough Memory process_srv():asession->sessid:malloc().\n");
 				t->be->htbl_proxy.destroy(asession);
 				return;