From: Tim Duesterhus <tim@bastelstu.be>
Date: Sat, 4 Jul 2020 09:49:38 +0000 (+0200)
Subject: BUG/MINOR: acl: Fix freeing of expr->smp in prune_acl_expr
X-Git-Tag: v2.3-dev1~59
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fa0df5;p=thirdparty%2Fhaproxy.git

BUG/MINOR: acl: Fix freeing of expr->smp in prune_acl_expr

Instead of simply calling free() in expr->smp->arg_p in certain cases
properly free the sample using release_sample_expr().

Given the following example configuration:

    frontend foo
    	bind *:8080
    	mode http
    	http-request set-var(txn.foo) str(bar)
    	acl is_match str(foo),strcmp(txn.hash) -m bool

Running a configuration check within valgrind reports:

    ==31371== 160 (48 direct, 112 indirect) bytes in 1 blocks are definitely lost in loss record 35 of 45
    ==31371==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==31371==    by 0x4C3832: sample_parse_expr (sample.c:876)
    ==31371==    by 0x56B3E0: parse_acl_expr (acl.c:319)
    ==31371==    by 0x56BA4F: parse_acl (acl.c:697)
    ==31371==    by 0x48D225: cfg_parse_listen (cfgparse-listen.c:816)
    ==31371==    by 0x4797C3: readcfgfile (cfgparse.c:2167)
    ==31371==    by 0x5293ED: init (haproxy.c:2021)
    ==31371==    by 0x41F382: main (haproxy.c:3126)

After this patch this leak is reduced. It will be fully removed in a
follow up patch:

    ==32503== 32 bytes in 1 blocks are definitely lost in loss record 20 of 43
    ==32503==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==32503==    by 0x4C39B5: sample_parse_expr (sample.c:982)
    ==32503==    by 0x56B410: parse_acl_expr (acl.c:319)
    ==32503==    by 0x56BA7F: parse_acl (acl.c:697)
    ==32503==    by 0x48D225: cfg_parse_listen (cfgparse-listen.c:816)
    ==32503==    by 0x4797C3: readcfgfile (cfgparse.c:2167)
    ==32503==    by 0x52943D: init (haproxy.c:2021)
    ==32503==    by 0x41F382: main (haproxy.c:3133)

This is a fairly minor leak that can only be observed if ACLs need to be
freed, which is not something that should occur during normal processing
and most likely only during shut down. Thus no backport should be needed.
---

diff --git a/src/acl.c b/src/acl.c
index 5fea5dcc2a..014269e74c 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -117,8 +117,8 @@ static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
 		}
 	}
 
-	if (expr->smp->arg_p != empty_arg_list && !unresolved)
-		free(expr->smp->arg_p);
+	release_sample_expr(expr->smp);
+
 	return expr;
 }