From: peter cai <peter.cai008@gmail.com>
Date: Wed, 7 Oct 2015 07:07:43 +0000 (-0700)
Subject: BUG/MEDIUM: pattern: fixup use_after_free in the pat_ref_delete_by_id
X-Git-Tag: v1.6.0~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aede6ddd1f3a9ad553bc17eba9b0b1d09094b3ca;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: pattern: fixup use_after_free in the pat_ref_delete_by_id

I found there is use_after_free bug in the pat_ref_delete_by_id.

[wt: it seems this fix must be backported to 1.5 as well]
---

diff --git a/src/pattern.c b/src/pattern.c
index 07e1a524d9..254c10650e 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -1540,14 +1540,13 @@ int pat_ref_delete_by_id(struct pat_ref *ref, struct pat_ref_elt *refelt)
 	/* delete pattern from reference */
 	list_for_each_entry_safe(elt, safe, &ref->head, list) {
 		if (elt == refelt) {
+			list_for_each_entry(expr, &ref->pat, list)
+				pattern_delete(expr, elt);
+
 			LIST_DEL(&elt->list);
 			free(elt->sample);
 			free(elt->pattern);
 			free(elt);
-
-			list_for_each_entry(expr, &ref->pat, list)
-				pattern_delete(expr, elt);
-
 			return 1;
 		}
 	}