I found there is use_after_free bug in the pat_ref_delete_by_id. diff --git a/haproxy/src/pattern.c b/haproxy/src/pattern.c index 4bd6924..0bd35a7 100644 --- a/haproxy/src/pattern.c +++ b/haproxy/src/pattern.c @@ -1573,14 +1573,14 @@ int pat_ref_delete_by_id(struct pat_ref *ref, struct pat_ref_elt *refelt) /* delete pattern from reference */ list_for_each_entry_safe(elt, safe, &ref->head, list) { if (elt == refelt) { + list_for_each_entry(expr, &ref->pat, list) + pattern_delete(expr, elt); + list_del(&elt->list); haproxy_free(elt->sample); haproxy_free(elt->pattern); haproxy_free(elt);
- list_for_each_entry(expr, &ref->pat, list) - pattern_delete(expr, elt); - return 1; } }