Hello, While compile-testing 1.9-dev with Clang/LLVM analyzer, it found the following (possible) scenario:
1- in function cfg_cache_postparser(), when entering the nested loop in line 914, cache_ptr is free()ed and redefined to cache (line 918): 914 list_for_each_entry(cache, &caches, list) { 915 if (!strcmp(cache->id, cache_ptr)) { 916 /* there can be only one filter per cache, so we free it there */ 917 free(cache_ptr); 918 cache_ptr = cache; 919 break; 920 } 921 } 2- loop is interrupted on the break in line 919; 3- if the test in line 923 passes (testing cache_ptr with the pointer fcont->conf), ha_alert() function in line 924 will be called and attempt to print/dereference the (recently freed) content pointed by fconf->conf: 923 if (cache_ptr == fconf->conf) { 924 ha_alert("Proxy '%s': unable to find the cache '%s' referenced by the filter 'cache'.\n", 925 curproxy->id, (char *)fconf->conf); 926 err++; 927 } I'm not sure how realistic this might be (especially to exploit), but it feels worthy of reporting. Cheers, -- Ricardo Nabinger Sanchez http://www.taghos.com.br/