From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 24 Mar 2020 19:08:30 +0000 (+0100)
Subject: BUG/MINOR: peers: Use after free of "peers" section.
X-Git-Tag: v2.2-dev6~83
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=87eacbb12fb819adb3acd68a221ead27c70efb43;p=thirdparty%2Fhaproxy.git

BUG/MINOR: peers: Use after free of "peers" section.

When a "peers" section has not any local peer, it is removed of the list
of "peers" sections by check_config_validity(). But a stick-table which
refers to a "peers" section stores a pointer to this peers section.
These pointer must be reset to NULL value for each stick-table refering to
such a "peers" section to prevent stktable_init() to start the peers frontend
attached to the peers section dereferencing the invalid pointer.

Furthemore this patch stops the peers frontend as this is done for other
configurations invalidated by check_config_validity().

Thank you to Olivier D for having reported this issue with such a
simple configuration file which made haproxy crash when started with
-c option for configuration file validation.

  defaults
    mode http

  peers mypeers
    peer toto 127.0.0.1:1024

  backend test
    stick-table type ip size 10k expire 1h store http_req_rate(1h) peers mypeers

Must be backported to 2.1 and 2.0.
---

diff --git a/src/cfgparse.c b/src/cfgparse.c
index eaa853f6e1..2c80083120 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -3925,6 +3925,7 @@ out_uri_auth_compat:
 		 */
 		last = &cfg_peers;
 		while (*last) {
+			struct stktable *t;
 			curpeers = *last;
 
 			if (curpeers->state == PR_STSTOPPED) {
@@ -3936,6 +3937,9 @@ out_uri_auth_compat:
 			else if (!curpeers->peers_fe || !curpeers->peers_fe->id) {
 				ha_warning("Removing incomplete section 'peers %s' (no peer named '%s').\n",
 					   curpeers->id, localpeer);
+				if (curpeers->peers_fe)
+					stop_proxy(curpeers->peers_fe);
+				curpeers->peers_fe = NULL;
 			}
 			else if (atleast2(curpeers->peers_fe->bind_proc)) {
 				/* either it's totally stopped or too much used */
@@ -3998,6 +4002,11 @@ out_uri_auth_compat:
 			 */
 			free(curpeers->id);
 			curpeers = curpeers->next;
+			/* Reset any refereance to this peers section in the list of stick-tables */
+			for (t = stktables_list; t; t = t->next) {
+				if (t->peers.p && t->peers.p == *last)
+					t->peers.p = NULL;
+			}
 			free(*last);
 			*last = curpeers;
 		}