BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref

In dict_entry_unref(), the write lock on d->rwlock was only acquired after
decrementing the refcount. However, between the decrement and the lock,
another thread could increment it by calling dict_insert(). That could lead
to a UAF.

To fix the issue, the call to HA_ATOMIC_SUB_FETCH is moved inside the write
lock.

This patch must be backported to all stable versions.

diff --git a/src/dict.c b/src/dict.c
index c4c54664e68dc2d6db0fade5490a28bbdc635999..34689ef77401c5d2c5937b71f12ad066a270bb4f 100644 (file)
--- a/src/dict.c
+++ b/src/dict.c
@@ -117,10 +117,11 @@ void dict_entry_unref(struct dict *d, struct dict_entry *de)
        if (!de)
                return;
 
-       if (HA_ATOMIC_SUB_FETCH(&de->refcount, 1) != 0)
-               return;
-
        HA_RWLOCK_WRLOCK(DICT_LOCK, &d->rwlock);
+       if (HA_ATOMIC_SUB_FETCH(&de->refcount, 1) != 0) {
+               HA_RWLOCK_WRUNLOCK(DICT_LOCK, &d->rwlock);
+               return;
+       }
        ebpt_delete(&de->value);
        HA_RWLOCK_WRUNLOCK(DICT_LOCK, &d->rwlock);