BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse
Consider this configuration:
frontend fe_http
mode http
bind *:8080
default_backend be_http
backend be_http
mode http
server example example.com:80
program foo bar
Running with valgrind results in:
==16252== Invalid read of size 8
==16252== at 0x52AE3F: cfg_parse_program (mworker-prog.c:233)
==16252== by 0x4823B3: readcfgfile (cfgparse.c:2180)
==16252== by 0x47BCED: init (haproxy.c:1649)
==16252== by 0x404E22: main (haproxy.c:2714)
==16252== Address 0x48 is not stack'd, malloc'd or (recently) free'd
Check whether `ext_child` is valid before attempting to free it and its
contents.
This bug was introduced in 9a1ee7ac31c56fd7d881adf2ef4659f336e50c9f.
This fix must be backported to HAProxy 2.0.
diff --git a/src/mworker-prog.c b/src/mworker-prog.c
index 467ce9b..ba52406 100644
--- a/src/mworker-prog.c
+++ b/src/mworker-prog.c
@@ -230,22 +230,24 @@
return err_code;
error:
- LIST_DEL(&ext_child->list);
- if (ext_child->command) {
- int i;
+ if (ext_child) {
+ LIST_DEL(&ext_child->list);
+ if (ext_child->command) {
+ int i;
- for (i = 0; ext_child->command[i]; i++) {
- if (ext_child->command[i]) {
- free(ext_child->command[i]);
- ext_child->command[i] = NULL;
+ for (i = 0; ext_child->command[i]; i++) {
+ if (ext_child->command[i]) {
+ free(ext_child->command[i]);
+ ext_child->command[i] = NULL;
+ }
}
+ free(ext_child->command);
+ ext_child->command = NULL;
+ }
+ if (ext_child->id) {
+ free(ext_child->id);
+ ext_child->id = NULL;
}
- free(ext_child->command);
- ext_child->command = NULL;
- }
- if (ext_child->id) {
- free(ext_child->id);
- ext_child->id = NULL;
}
free(ext_child);