From: Dragan Dosen <ddosen@haproxy.com>
Date: Tue, 18 Sep 2018 18:18:09 +0000 (+0200)
Subject: BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list
X-Git-Tag: v1.9-dev3~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f147479bd56bfeb442b25c458dab95b70d6e1c8b;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list

A null pointer assignment was missing after free() in function
pat_ref_reload() which can lead to segfault.

This bug was introduced in commit b5997f7 ("MAJOR: threads/map: Make
acls/maps thread safe").

Must be backported to 1.8.
---

diff --git a/src/pattern.c b/src/pattern.c
index 261a0b4b1f..664afc9d41 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -2067,10 +2067,8 @@ int pat_ref_add(struct pat_ref *ref,
 void pat_ref_reload(struct pat_ref *ref, struct pat_ref *replace)
 {
 	struct pattern_expr *expr;
-	char *err = NULL;
 	struct pat_ref_elt *elt, *safe;
 	struct bref *bref, *back;
-	struct sample_data *data;
 	struct pattern pattern;
 
 
@@ -2105,6 +2103,9 @@ void pat_ref_reload(struct pat_ref *ref, struct pat_ref *replace)
 	list_for_each_entry(expr, &ref->pat, list) {
 		expr->pat_head->prune(expr);
 		list_for_each_entry(elt, &ref->head, list) {
+			char *err = NULL;
+			struct sample_data *data = NULL;
+
 			/* Create sample */
 			if (elt->sample && expr->pat_head->parse_smp) {
 				/* New sample. */
@@ -2122,8 +2123,6 @@ void pat_ref_reload(struct pat_ref *ref, struct pat_ref *replace)
 				}
 
 			}
-			else
-				data = NULL;
 
 			/* initialise pattern */
 			memset(&pattern, 0, sizeof(pattern));