From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 12 Mar 2021 11:00:14 +0000 (+0100)
Subject: BUG/MINOR: tcpcheck: Fix double free on error path when parsing tcp/http-check
X-Git-Tag: v2.4-dev12~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd03be73d59ad2c5d9ad43b28a1b0fda9f32526c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: tcpcheck: Fix double free on error path when parsing tcp/http-check

When a "tcp-check" or a "http-check" rule is parsed, we try to get the
previous rule in the ruleset to get its index. We must take care to reset
the pointer on this rule in case an error is triggered later on the
parsing. Otherwise, the same rule may be released twice. For instance, it
happens with such line :

    http-check meth GET uri / ## note there is no "send" parameter

This patch must be backported as far as 2.2.
---

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 535c82c89b..55ecd2383e 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -3708,6 +3708,7 @@ static int proxy_parse_tcpcheck(char **args, int section, struct proxy *curpx,
 	if (!LIST_ISEMPTY(&rs->rules)) {
 		chk = LIST_PREV(&rs->rules, typeof(chk), list);
 		index = chk->index + 1;
+		chk = NULL;
 	}
 
 	cur_arg = 1;
@@ -3809,6 +3810,7 @@ static int proxy_parse_httpcheck(char **args, int section, struct proxy *curpx,
 		chk = LIST_PREV(&rs->rules, typeof(chk), list);
 		if (chk->action != TCPCHK_ACT_SEND || !(chk->send.http.flags & TCPCHK_SND_HTTP_FROM_OPT))
 			index = chk->index + 1;
+		chk = NULL;
 	}
 
 	if (strcmp(args[cur_arg], "connect") == 0)