BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse

Consider this configuration: frontend fe_http mode http bind *:8080 default_backend be_http backend be_http mode http server example example.com:80 program foo bar Running with valgrind results in: ==16252== Invalid read of size 8 ==16252== at 0x52AE3F: cfg_parse_program (mworker-prog.c:233) ==16252== by 0x4823B3: readcfgfile (cfgparse.c:2180) ==16252== by 0x47BCED: init (haproxy.c:1649) ==16252== by 0x404E22: main (haproxy.c:2714) ==16252== Address 0x48 is not stack'd, malloc'd or (recently) free'd Check whether `ext_child` is valid before attempting to free it and its contents. This bug was introduced in 9a1ee7ac31. This fix must be backported to HAProxy 2.0.
2025-03-08 04:18:58 +00:00 · 2019-06-23 22:10:12 +02:00 · 2019-06-23 22:10:12 +02:00 · 2c9e274f45
commit 2c9e274f45
parent 3c55efb7dd
1 changed files with 15 additions and 13 deletions
--- a/src/mworker-prog.c
+++ b/src/mworker-prog.c
@ -230,22 +230,24 @@ int cfg_parse_program(const char *file, int linenum, char **args, int kwm)
 	return err_code;

 error:
-	LIST_DEL(&ext_child->list);
-	if (ext_child->command) {
-		int i;
+	if (ext_child) {
+		LIST_DEL(&ext_child->list);
+		if (ext_child->command) {
+			int i;

-		for (i = 0; ext_child->command[i]; i++) {
-			if (ext_child->command[i]) {
-				free(ext_child->command[i]);
-				ext_child->command[i] = NULL;
+			for (i = 0; ext_child->command[i]; i++) {
+				if (ext_child->command[i]) {
+					free(ext_child->command[i]);
+					ext_child->command[i] = NULL;
+				}
 			}
+			free(ext_child->command);
+			ext_child->command = NULL;
+		}
+		if (ext_child->id) {
+			free(ext_child->id);
+			ext_child->id = NULL;
 		}
-		free(ext_child->command);
-		ext_child->command = NULL;
-	}
-	if (ext_child->id) {
-		free(ext_child->id);
-		ext_child->id = NULL;
 	}

 	free(ext_child);