From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Fri, 1 May 2026 08:16:55 +0000 (+0100)
Subject: [Fix] upstream: drop pool-less branch in set_token_bucket
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4d2da3126490aa0e0b594d87a5cb62ae0919edd;p=thirdparty%2Frspamd.git

[Fix] upstream: drop pool-less branch in set_token_bucket

The fallback that g_malloc'd a fresh limits struct when no pool was
available leaked it on the next call and on destroy. The function is
only ever invoked with a real ctx; assert that explicitly. Also keep
the new refill rate proportional to max_tokens when it's overridden,
so users tuning the bucket size don't get a stale default refill.
---

diff --git a/src/libutil/upstream.c b/src/libutil/upstream.c
index a43e026497..c3cbfb0338 100644
--- a/src/libutil/upstream.c
+++ b/src/libutil/upstream.c
@@ -2525,20 +2525,18 @@ void rspamd_upstreams_set_token_bucket(struct upstream_list *ups,
 {
 	struct upstream_limits *nlimits;
 	g_assert(ups != NULL);
+	g_assert(ups->ctx != NULL && ups->ctx->pool != NULL);
 
-	/* Allocate new limits if we have a pool, otherwise modify in place */
-	if (ups->ctx && ups->ctx->pool) {
-		nlimits = rspamd_mempool_alloc(ups->ctx->pool, sizeof(*nlimits));
-		memcpy(nlimits, ups->limits, sizeof(*nlimits));
-	}
-	else {
-		/* No pool, we need to be careful here */
-		nlimits = g_malloc(sizeof(*nlimits));
-		memcpy(nlimits, ups->limits, sizeof(*nlimits));
-	}
+	nlimits = rspamd_mempool_alloc(ups->ctx->pool, sizeof(*nlimits));
+	memcpy(nlimits, ups->limits, sizeof(*nlimits));
 
 	if (max_tokens > 0) {
 		nlimits->token_bucket_max = max_tokens;
+		/* Keep refill rate proportional: full bucket regenerates in 60s. */
+		nlimits->token_bucket_refill_per_s = max_tokens / 60;
+		if (nlimits->token_bucket_refill_per_s == 0) {
+			nlimits->token_bucket_refill_per_s = 1;
+		}
 	}
 	if (scale_factor > 0) {
 		nlimits->token_bucket_scale = scale_factor;