[Fix] Clear pending multipatterns on config reload to prevent use-after-free

After SIGHUP reload, the global pending_compilations queue retained
stale multipattern pointers from the freed old config. When hs_helper
processed the queue, it accessed freed memory causing heap-buffer-overflow
in rspamd_multipattern_get_npatterns().

Add rspamd_multipattern_clear_pending() alongside the existing
rspamd_regexp_map_clear_pending() call before releasing old config.

diff --git a/src/rspamd.c b/src/rspamd.c
index f26c56819c1ec2c8501074a2bbece3ef31c04d64..fbadc59d8576c1477a3f32fa46afe60cfb499d45 100644 (file)
--- a/src/rspamd.c
+++ b/src/rspamd.c
@@ -58,6 +58,7 @@
 #ifdef WITH_HYPERSCAN
 #include "libserver/hyperscan_tools.h"
 #include "libserver/maps/map_helpers.h"
+#include "libutil/multipattern.h"
 #endif
 
 #include "rspamd_simdutf.h"
@@ -343,7 +344,8 @@ reread_config(struct rspamd_main *rspamd_main)
                rspamd_log_close(old_logger);
                msg_info_main("replacing config");
 #ifdef WITH_HYPERSCAN
-               /* Clear pending regexp maps before releasing old config to avoid use-after-free */
+               /* Clear pending multipatterns and regexp maps before releasing old config to avoid use-after-free */
+               rspamd_multipattern_clear_pending();
                rspamd_regexp_map_clear_pending();
 #endif
                CFG_REF_RELEASE(old_cfg);