From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 22 May 2026 12:08:27 +0000 (+0200)
Subject: BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref
X-Git-Tag: v3.4-dev14~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2644f9ddf92975f570788ed7ce5bd585b0e85f28;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref

In dict_entry_unref(), the write lock on d->rwlock was only acquired after
decrementing the refcount. However, between the decrement and the lock,
another thread could increment it by calling dict_insert(). That could lead
to a UAF.

To fix the issue, the call to HA_ATOMIC_SUB_FETCH is moved inside the write
lock.

This patch must be backported to all stable versions.
---

diff --git a/src/dict.c b/src/dict.c
index c4c54664e..34689ef77 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -117,10 +117,11 @@ void dict_entry_unref(struct dict *d, struct dict_entry *de)
 	if (!de)
 		return;
 
-	if (HA_ATOMIC_SUB_FETCH(&de->refcount, 1) != 0)
-		return;
-
 	HA_RWLOCK_WRLOCK(DICT_LOCK, &d->rwlock);
+	if (HA_ATOMIC_SUB_FETCH(&de->refcount, 1) != 0) {
+		HA_RWLOCK_WRUNLOCK(DICT_LOCK, &d->rwlock);
+		return;
+	}
 	ebpt_delete(&de->value);
 	HA_RWLOCK_WRUNLOCK(DICT_LOCK, &d->rwlock);