From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 30 Jul 2019 14:51:42 +0000 (+0200)
Subject: BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser()
X-Git-Tag: v2.1-dev2~104
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cac5c094d1da360dd78c188b89c0f7fd52569d61;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser()

When an error occurs in the post-parser callback which checks configuration
validity of the option outgoing-headers-case-adjust-file, the error message is
freed too early, before being used.

No backport needed. It fixes the github issue #258.
---

diff --git a/src/mux_h1.c b/src/mux_h1.c
index e6383305b0..1fc65039f8 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2693,17 +2693,17 @@ static int cfg_h1_headers_case_adjust_postparser()
 		err = NULL;
 		rc = add_hdr_case_adjust(key_beg, value_beg, &err);
 		if (rc < 0) {
-			free(err);
 			ha_alert("config : h1-outgoing-headers-case-adjust-file '%s' : %s at line %d.\n",
 				 hdrs_map.name, err, line);
 			err_code |= ERR_ALERT | ERR_FATAL;
+			free(err);
 			goto end;
 		}
 		if (rc > 0) {
-			free(err);
 			ha_warning("config : h1-outgoing-headers-case-adjust-file '%s' : %s at line %d.\n",
 				   hdrs_map.name, err, line);
 			err_code |= ERR_WARN;
+			free(err);
 		}
 	}