From: Willy Tarreau <w@1wt.eu>
Date: Wed, 19 Apr 2017 09:13:48 +0000 (+0200)
Subject: BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
X-Git-Tag: v1.8-dev2~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bcfe23a7ecb212ca07dfbe20423684944d55e086;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()

Stephan Zeisberg reported another dirty abort case which can be triggered
with this simple config (where file "d" doesn't exist) :

    backend b1
        stats  auth a:b
        acl auth_ok http_auth(c) -f d

This issue was brought in 1.5-dev9 by commit 34db108 ("MAJOR: acl: make use
of the new argument parsing framework") when prune_acl_expr() started to
release arguments. The arg pointer is set to NULL but not its length.
Because of this, later in smp_resolve_args(), the argument is still seen
as valid (since only a test on the length is made as in all other places),
and the NULL pointer is dereferenced.

This patch properly clears the lengths to avoid such tests.

This fix needs to be backported to 1.7, 1.6, and 1.5.
---

diff --git a/src/acl.c b/src/acl.c
index 93d365851b..da62e6c01b 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -115,6 +115,7 @@ static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
 		if (arg->type == ARGT_STR || arg->unresolved) {
 			free(arg->data.str.str);
 			arg->data.str.str = NULL;
+			arg->data.str.len = 0;
 			unresolved |= arg->unresolved;
 			arg->unresolved = 0;
 		}