Hi Peter,
On Wed, Oct 07, 2015 at 12:07:43AM -0700, peter cai wrote:
> I found there is use_after_free bug in the pat_ref_delete_by_id.
>
> diff --git a/haproxy/src/pattern.c b/haproxy/src/pattern.c
> index 4bd6924..0bd35a7 100644
> --- a/haproxy/src/pattern.c
> +++ b/haproxy/src/pattern.c
> @@ -1573,14 +1573,14 @@ int pat_ref_delete_by_id(struct pat_ref *ref,
> struct pat_ref_elt *refelt)
> /* delete pattern from reference */
> list_for_each_entry_safe(elt, safe, &ref->head, list) {
> if (elt == refelt) {
> + list_for_each_entry(expr, &ref->pat, list)
> + pattern_delete(expr, elt);
> +
> list_del(&elt->list);
> haproxy_free(elt->sample);
> haproxy_free(elt->pattern);
> haproxy_free(elt);
>
> - list_for_each_entry(expr, &ref->pat, list)
> - pattern_delete(expr, elt);
> -
> return 1;
> }
> }
Ah good catch, thank you. I applied it by hand because your mailer
corrupted the patch by wrapping lines, but this time it was easy.
Next time, please send a git format-patch as an attachment, it will
be safer.
Thanks!
Willy
