BUG/MAJOR: map: fix a segfault when using http-request set-map The bug happens with an existing entry, when you try to overwrite the value with wrong data, for example, a string when the type is INT. The code path was not secure and tried to set *err and *merr while err = merr = NULL when performing an http action. Must be backported in 1.6, 1.7, 1.8.

commit: 579fb25b6215d64a2e064550c1d186547414cc68 [log] [tgz]
author: William Lallemand <wlallemand@haproxy.com> Mon Jun 11 10:53:46 2018 +0200
committer: Willy Tarreau <w@1wt.eu> Mon Jun 11 11:02:06 2018 +0200
tree: bbc8bc39a09bba1fa7b87f86e3c6a192d7f86a57
parent: 6e1796e85d5351535416018112fc19ccacc7fc5e [diff]
diff --git a/src/pattern.c b/src/pattern.c
index 2eb8265..35c1c7e 100644
--- a/src/pattern.c
+++ b/src/pattern.c

@@ -1815,12 +1815,14 @@
 	list_for_each_entry(elt, &ref->head, list) {
 		if (strcmp(key, elt->pattern) == 0) {
 			if (!pat_ref_set_elt(ref, elt, value, merr)) {
-				if (!found)
-					*err = *merr;
-				else {
-					memprintf(err, "%s, %s", *err, *merr);
-					free(*merr);
-					*merr = NULL;
+				if (err && merr) {
+					if (!found) {
+						*err = *merr;
+					} else {
+						memprintf(err, "%s, %s", *err, *merr);
+						free(*merr);
+						*merr = NULL;
+					}
 				}
 			}
 			found = 1;
commit	579fb25b6215d64a2e064550c1d186547414cc68	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.com>	Mon Jun 11 10:53:46 2018 +0200
committer	Willy Tarreau <w@1wt.eu>	Mon Jun 11 11:02:06 2018 +0200
tree	bbc8bc39a09bba1fa7b87f86e3c6a192d7f86a57
parent	6e1796e85d5351535416018112fc19ccacc7fc5e [diff]