From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Thu, 6 Jul 2023 12:57:32 +0000 (+0200)
Subject: BUG/MEDIUM: sink: invalid server list in sink_new_from_logsrv()
X-Git-Tag: v2.9-dev2~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=999699a277d85e875c5351cfe949c851f574f007;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: sink: invalid server list in sink_new_from_logsrv()

forward proxy server list created from sink_new_from_logsrv() is invalid

Indeed, srv->next is literally assigned to itself. This did not cause
issues during syslog handling because the sft was properly set, but it
will cause the free_proxy(sink->forward_px) at deinit to go wild since
free_proxy() will try to iterate through the proxy srv list to free
ressources, but because of the improper list initialization, double-free
and infinite-loop will occur.

This bug was revealed by 9b1d15f53a ("BUG/MINOR: sink: free forward_px on deinit()")

It must be backported as far as 2.4.
---

diff --git a/src/sink.c b/src/sink.c
index 8f38f85084..1edde3c861 100644
--- a/src/sink.c
+++ b/src/sink.c
@@ -1089,8 +1089,8 @@ struct sink *sink_new_from_logsrv(struct logsrv *logsrv)
 	/* the servers are linked backwards
 	 * first into proxy
 	 */
-	p->srv = srv;
 	srv->next = p->srv;
+	p->srv = srv;
 
 	/* allocate sink_forward_target descriptor */
 	sft = calloc(1, sizeof(*sft));