From: Tim Duesterhus Date: Sun, 23 Jun 2019 20:10:12 +0000 (+0200) Subject: BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse X-Git-Tag: v2.1-dev1~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c9e274f45ddefbd5d4508cdc8957ee9c1acc75d;p=thirdparty%2Fhaproxy.git BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse Consider this configuration: frontend fe_http mode http bind *:8080 default_backend be_http backend be_http mode http server example example.com:80 program foo bar Running with valgrind results in: ==16252== Invalid read of size 8 ==16252== at 0x52AE3F: cfg_parse_program (mworker-prog.c:233) ==16252== by 0x4823B3: readcfgfile (cfgparse.c:2180) ==16252== by 0x47BCED: init (haproxy.c:1649) ==16252== by 0x404E22: main (haproxy.c:2714) ==16252== Address 0x48 is not stack'd, malloc'd or (recently) free'd Check whether `ext_child` is valid before attempting to free it and its contents. This bug was introduced in 9a1ee7ac31c56fd7d881adf2ef4659f336e50c9f. This fix must be backported to HAProxy 2.0. --- diff --git a/src/mworker-prog.c b/src/mworker-prog.c index 467ce9b248..ba52406e9a 100644 --- a/src/mworker-prog.c +++ b/src/mworker-prog.c @@ -230,22 +230,24 @@ int cfg_parse_program(const char *file, int linenum, char **args, int kwm) return err_code; error: - LIST_DEL(&ext_child->list); - if (ext_child->command) { - int i; - - for (i = 0; ext_child->command[i]; i++) { - if (ext_child->command[i]) { - free(ext_child->command[i]); - ext_child->command[i] = NULL; + if (ext_child) { + LIST_DEL(&ext_child->list); + if (ext_child->command) { + int i; + + for (i = 0; ext_child->command[i]; i++) { + if (ext_child->command[i]) { + free(ext_child->command[i]); + ext_child->command[i] = NULL; + } } + free(ext_child->command); + ext_child->command = NULL; + } + if (ext_child->id) { + free(ext_child->id); + ext_child->id = NULL; } - free(ext_child->command); - ext_child->command = NULL; - } - if (ext_child->id) { - free(ext_child->id); - ext_child->id = NULL; } free(ext_child);