From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 23 Mar 2026 12:50:17 +0000 (+0100)
Subject: BUG/MINOR: http_htx: fix null deref in http-errors config check
X-Git-Tag: v3.4-dev8~138
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c379cad88a5039412df6b35cc39b7ee8b467fa8;p=thirdparty%2Fhaproxy.git

BUG/MINOR: http_htx: fix null deref in http-errors config check

http-errors parsing has been refactored in a recent serie of patches.
However, a null deref was introduced by the following patch in case a
non-existent http-errors section is referenced by an "errorfiles"
directive.

  commit 2ca7601c2d6781f455cf205e4f3b52f5beb16e41
  MINOR/OPTIM: http_htx: lookup once http_errors section on check/init

Fix this by delaying ha_free() so that it is called after ha_alert().

No need to backport.
---

diff --git a/src/http_htx.c b/src/http_htx.c
index dc18735e3..bd550be98 100644
--- a/src/http_htx.c
+++ b/src/http_htx.c
@@ -2352,15 +2352,16 @@ int proxy_check_http_errors(struct proxy *px)
 				}
 			}
 
-			ha_free(&conf_err->type.section.name);
 			if (!section_found) {
 				ha_alert("proxy '%s': unknown http-errors section '%s' (at %s:%d).\n",
 				         px->id, conf_err->type.section.name, conf_err->file, conf_err->line);
+				ha_free(&conf_err->type.section.name);
 				err |= ERR_ALERT | ERR_FATAL;
 				continue;
 			}
 
 			conf_err->type.section.resolved = http_errs;
+			ha_free(&conf_err->type.section.name);
 
 			for (rc = 0; rc < HTTP_ERR_SIZE; rc++) {
 				if (conf_err->type.section.status[rc] == HTTP_ERR_IMPORT_EXPLICIT &&