From 351ae5dbeda32a257d2970a140747107f750fe4e Mon Sep 17 00:00:00 2001 From: Valentine Krasnobaeva Date: Thu, 21 Nov 2024 16:21:54 +0100 Subject: [PATCH] BUG/MINOR: startup: fix UAF when set the default for log_tag In the init_early() global.log_tag is initialized to the string from progname pointer and global.log_tag.area points to this pointer. If log-tag keyword is provided in the configuration, its parser at first frees global.log_tag.area and then it does a new memory allocation to copy there the argument of log-tag. So, progname no longer points to the valid memory. To fix this, let's always keep progname and global.log_tag.area at separate memory areas. If log_tag will be redefined in the configuration, its parser will free the memory allocated for the default value in chunk_destroy(). Memory allocated for progname will be freed in deinit(). This should not be backported as related to the latest master-worker refactoring. --- src/haproxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/haproxy.c b/src/haproxy.c index 063ec5cb98..6079b9d1b7 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1592,7 +1592,7 @@ static void init_early(int argc, char **argv) exit(EXIT_FAILURE); } - chunk_initlen(&global.log_tag, progname, len, len); + chunk_initlen(&global.log_tag, strdup(progname), len, len); } /* handles program arguments. Very minimal parsing is performed, variables are -- 2.47.3