From: Willy Tarreau <w@1wt.eu>
Date: Tue, 21 Mar 2023 09:50:51 +0000 (+0100)
Subject: BUG/MEDIUM: applet: only set appctx->sedesc on successful allocation
X-Git-Tag: v2.8-dev6~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=465a6c8;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: applet: only set appctx->sedesc on successful allocation

If appctx_new_on() fails to allocate a task, it will not remove the
freshly allocated sedesc from the appctx despite freeing it, causing
a UAF. Let's only assign appctx->sedesc upon success.

This needs to be backported to 2.6. In 2.6 the function is slightly
different and called appctx_new(), though the issue is exactly the
same.
---

diff --git a/src/applet.c b/src/applet.c
index 2900013932..b7e9920b8b 100644
--- a/src/applet.c
+++ b/src/applet.c
@@ -48,6 +48,7 @@ struct appctx *appctx_new_on(struct applet *applet, struct sedesc *sedesc, int t
 	appctx->obj_type = OBJ_TYPE_APPCTX;
 	appctx->applet = applet;
 	appctx->sess = NULL;
+	appctx->sedesc = NULL;
 	if (!sedesc) {
 		sedesc = sedesc_new();
 		if (!sedesc)
@@ -55,11 +56,12 @@ struct appctx *appctx_new_on(struct applet *applet, struct sedesc *sedesc, int t
 		sedesc->se = appctx;
 		se_fl_set(sedesc, SE_FL_T_APPLET | SE_FL_ORPHAN);
 	}
-	appctx->sedesc = sedesc;
 
 	appctx->t = task_new_on(thr);
 	if (unlikely(!appctx->t))
 		goto fail_task;
+
+	appctx->sedesc = sedesc;
 	appctx->t->process = task_run_applet;
 	appctx->t->context = appctx;