[Fix] Clear pending regexp maps on config reload to prevent use-after-free

During HUP-triggered config reload, the pending_regexp_maps array retained
pointers to re_map objects from the old config after they were freed. When
workers received "regexp map loaded" notifications, they accessed freed memory
(visible as 0x5A poison pattern in re_digest), causing SIGSEGV.

Fix by calling rspamd_regexp_map_clear_pending() before releasing the old
config in reread_config().

diff --git a/src/rspamd.c b/src/rspamd.c
index 6e131b9b57d6608e3c6588743adb5584a8da97dc..f26c56819c1ec2c8501074a2bbece3ef31c04d64 100644 (file)
--- a/src/rspamd.c
+++ b/src/rspamd.c
@@ -57,6 +57,7 @@
 
 #ifdef WITH_HYPERSCAN
 #include "libserver/hyperscan_tools.h"
+#include "libserver/maps/map_helpers.h"
 #endif
 
 #include "rspamd_simdutf.h"
@@ -341,6 +342,10 @@ reread_config(struct rspamd_main *rspamd_main)
        else {
                rspamd_log_close(old_logger);
                msg_info_main("replacing config");
+#ifdef WITH_HYPERSCAN
+               /* Clear pending regexp maps before releasing old config to avoid use-after-free */
+               rspamd_regexp_map_clear_pending();
+#endif
                CFG_REF_RELEASE(old_cfg);
                rspamd_main->cfg->rspamd_user = rspamd_user;
                rspamd_main->cfg->rspamd_group = rspamd_group;