From: Willy Tarreau <w@1wt.eu>
Date: Fri, 15 May 2026 15:33:39 +0000 (+0200)
Subject: BUG/MINOR: proxy: use proxy_drop() in parse_new_proxy() error path
X-Git-Tag: v3.4-dev13~66
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bed842390fce445c1eeabb7e7101fb5d5a7a3b36;p=thirdparty%2Fhaproxy.git

BUG/MINOR: proxy: use proxy_drop() in parse_new_proxy() error path

In parse_new_proxy(), when proxy_defproxy_cpy() fails, the error path used
ha_free(&curproxy) to release the partially constructed proxy. However, the
proxy was allocated via alloc_new_proxy() which performs significant setup:
  - setup_new_proxy() inserts it into the proxy_by_name tree (proxy_store_name)
  - It appends to the global proxies list (LIST_APPEND)
  - proxy_take() increments its refcount

Additionally, proxy_defproxy_cpy() may have allocated further resources
(strdup'd strings, compression structures, email alert fields, etc).

Using ha_free() only freed the proxy struct itself, leaving:
  - The proxy still registered in the name tree (dangling pointer)
  - The proxy still linked in the global proxies list
  - All strdup'd strings and other allocations leaked

This is visible with ASAN when causing random allocation errors:

  [NOTICE]   (27033) : haproxy version is 3.4-dev12-b15468-11
  [NOTICE]   (27033) : path to executable is ./haproxy
  [ALERT]    (27033) : config : parsing [/dev/stdin:5015] : proxy 'bk3': failed to duplicate tcpcheck preset-vars
  [ALERT]    (27033) : config : Error(s) found in configuration file : /dev/stdin

  =================================================================
  ==27033==ERROR: LeakSanitizer: detected memory leaks

  Direct leak of 4 byte(s) in 1 object(s) allocated from:
      #0 0x7f113e518e20 in strdup (/usr/lib64/libasan.so.8+0x118e20)
      #1 0x000000955410 in setup_new_proxy src/proxy.c:3178
      #2 0x000000955816 in alloc_new_proxy src/proxy.c:3221
      #3 0x000000956c33 in parse_new_proxy src/proxy.c:3554
      #4 0x000000a24d03 in cfg_parse_listen src/cfgparse-listen.c:495
      #5 0x00000089d33e in parse_cfg src/cfgparse.c:2202
      #6 0x0000009e0bb9 in read_cfg src/haproxy.c:1142
      #7 0x000000447e8c in main src/haproxy.c:3474
      #8 0x7f113d82ad13 in __libc_start_call_main (/lib64/libc.so.6+0x2ad13)
      #9 0x7fff65b4e320  ([stack]+0x20320)

  SUMMARY: AddressSanitizer: 4 byte(s) leaked in 1 allocation(s).

The fix replaces ha_free(&curproxy) with proxy_drop(curproxy), which
properly calls deinit_proxy() to release all internal resources, removes
the proxy from trees and lists, decrements the refcount, and frees the
struct.

No backport is needed since proxy_drop() is only in 3.4.
---

diff --git a/src/proxy.c b/src/proxy.c
index dab4c5e9a..c6c4eb293 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -3562,7 +3562,7 @@ struct proxy *parse_new_proxy(const char *name, unsigned int cap,
 			ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg);
 			free(errmsg);
 
-			ha_free(&curproxy);
+			proxy_drop(curproxy);
 			return NULL;
 		}
 	}