RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-24 06:36:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: pattern: fixup use_after_free in the pat_ref_delete_by_id

Browse Source 
I found there is use_after_free bug in the pat_ref_delete_by_id.

[wt: it seems this fix must be backported to 1.5 as well]
This commit is contained in:
peter cai 2015-10-07 00:07:43 -07:00 committed by Willy Tarreau
parent 7e0c9713b4
commit aede6ddd1f
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/pattern.c
View File

@ -1540,14 +1540,13 @@ int pat_ref_delete_by_id(struct pat_ref *ref, struct pat_ref_elt *refelt)
/* delete pattern from reference */
list_for_each_entry_safe(elt, safe, &ref->head, list) {
if (elt == refelt) {
list_for_each_entry(expr, &ref->pat, list)
pattern_delete(expr, elt);
LIST_DEL(&elt->list);
free(elt->sample);
free(elt->pattern);
free(elt);
list_for_each_entry(expr, &ref->pat, list)
pattern_delete(expr, elt);
return 1;
}
}