---
When set var() converter is used inside an ACL expression such as:
http-request allow if { path,set-var(sess.foo) -m found }
a heap-use-after-free crash occurs at runtime. the issue is in vars_check_arg()
which destroys the argument string buffer via chunk_destroy() while desc.name
still points to it.
This patch adds the missing assignment to update desc.name to point to the
newly allocated saved_name before chunk_destroy() is called.
---
src/vars.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/vars.c b/src/vars.c
index 1a0c2b8f4..b65d19665 100644
--- a/src/vars.c
+++ b/src/vars.c
@@ -831,6 +831,8 @@ int vars_check_arg(struct arg *arg, char **err)
memprintf(err, "out of memory");
return 0;
}
+
+ desc.name = saved_name;
}
if (desc.scope == SCOPE_PROC && !var_set(&desc, &empty_smp,
VF_CREATEONLY|VF_PERMANENT)) {
--
2.48.1
