From: Willy Tarreau <w@1wt.eu>
Date: Thu, 14 May 2026 21:37:18 +0000 (+0000)
Subject: BUG/MINOR: resolvers: fix leaked dgram and dns_ring struct in parse_resolve_conf()
X-Git-Tag: v3.4-dev13~63
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=677fdfe1264be805d9708fdab49a0a254e674a96;p=thirdparty%2Fhaproxy.git

BUG/MINOR: resolvers: fix leaked dgram and dns_ring struct in parse_resolve_conf()

Some strdup() failures in parse_resolve_conf() do not release everything
due to the way the function is built, resulting in leaks on error that are
caught by ASAN:

  Direct leak of 304 byte(s) in 1 object(s) allocated from:
      #0 0x7fe74231ea23 in calloc (/usr/lib64/libasan.so.8+0x11ea23)
      #1 0x000000af1681 in dns_dgram_init src/dns.c:468
      #2 0x00000091cbbf in parse_resolve_conf src/resolvers.c:3559
      #3 0x00000092179e in cfg_parse_resolvers src/resolvers.c:3815
      #4 0x00000089d33e in parse_cfg src/cfgparse.c:2202
      #5 0x0000009e0a39 in read_cfg src/haproxy.c:1142
      #6 0x000000447e8c in main src/haproxy.c:3474
      #7 0x7fe74162ad13 in __libc_start_call_main (/lib64/libc.so.6+0x2ad13)
      #8 0x7ffc0a43e31f  ([stack]+0x2031f)

  Indirect leak of 131080 byte(s) in 1 object(s) allocated from:
      #0 0x7fe74231f0ab in malloc (/usr/lib64/libasan.so.8+0x11f0ab)
      #1 0x000000c73e19 in dns_ring_new src/dns_ring.c:59
      #2 0x000000af1848 in dns_dgram_init src/dns.c:480
      #3 0x00000091cbbf in parse_resolve_conf src/resolvers.c:3559
      #4 0x00000092179e in cfg_parse_resolvers src/resolvers.c:3815
      #5 0x00000089d33e in parse_cfg src/cfgparse.c:2202
      #6 0x0000009e0a39 in read_cfg src/haproxy.c:1142
      #7 0x000000447e8c in main src/haproxy.c:3474
      #8 0x7fe74162ad13 in __libc_start_call_main (/lib64/libc.so.6+0x2ad13)
      #9 0x7ffc0a43e31f  ([stack]+0x2031f)

  Indirect leak of 64 byte(s) in 1 object(s) allocated from:
      #0 0x7fe74231f0ab in malloc (/usr/lib64/libasan.so.8+0x11f0ab)
      #1 0x000000c73e09 in dns_ring_new src/dns_ring.c:55
      #2 0x000000af1848 in dns_dgram_init src/dns.c:480
      #3 0x00000091cbbf in parse_resolve_conf src/resolvers.c:3559
      #4 0x00000092179e in cfg_parse_resolvers src/resolvers.c:3815
      #5 0x00000089d33e in parse_cfg src/cfgparse.c:2202
      #6 0x0000009e0a39 in read_cfg src/haproxy.c:1142
      #7 0x000000447e8c in main src/haproxy.c:3474
      #8 0x7fe74162ad13 in __libc_start_call_main (/lib64/libc.so.6+0x2ad13)
      #9 0x7ffc0a43e31f  ([stack]+0x2031f)

  SUMMARY: AddressSanitizer: 131448 byte(s) leaked in 3 allocation(s).

Let's free the dgram and the dns ring. This can be backported though it's
not important as it only happens on OOM condition during boot.
---

diff --git a/src/resolvers.c b/src/resolvers.c
index a3292ee85..44a4ee3e2 100644
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -3569,6 +3569,8 @@ static int parse_resolve_conf(char **errmsg, char **warnmsg)
 			if (errmsg)
 				memprintf(errmsg, "parsing [/etc/resolv.conf:%d] : out of memory.", resolv_linenum);
 			err_code |= ERR_ALERT | ERR_FATAL;
+			dns_ring_free(newnameserver->dgram->ring_req);
+			free(newnameserver->dgram);
 			free(newnameserver);
 			goto resolv_out;
 		}
@@ -3579,6 +3581,8 @@ static int parse_resolve_conf(char **errmsg, char **warnmsg)
 				memprintf(errmsg, "parsing [/etc/resolv.conf:%d] : out of memory.", resolv_linenum);
 			err_code |= ERR_ALERT | ERR_FATAL;
 			free((char *)newnameserver->conf.file);
+			dns_ring_free(newnameserver->dgram->ring_req);
+			free(newnameserver->dgram);
 			free(newnameserver);
 			goto resolv_out;
 		}