From 2ec387cdc2cf4cba4b69b66e27c0221f64e4c99c Mon Sep 17 00:00:00 2001 From: Aurelien DARRAGON Date: Wed, 14 Jan 2026 19:51:40 +0100 Subject: [PATCH] BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in release_http_map() As reported by GH user @Lzq-001 on issue #3245, the config below would cause haproxy to SEGFAULT after having reported an error: frontend 0000000 http-request set-map %[hdr(0000)0_ Root cause is simple, in parse_http_set_map(), we define the release function (which is responsible to clear lf_expr expressions used by the action), prior to initializing the expressions, while the release function assumes the expressions are always initialized. For all similar actions, we already perform the init prior to setting the related release function, but this was not the case for parse_http_set_map(). We fix the bug by initializing the expressions earlier. Thanks to @Lzq-001 for having reported the issue and provided a simple reproducer. It should be backported to all stable versions, note for versions prior to 3.0, lf_expr_init() should be replace by LIST_INIT(), see 6810c41 ("MEDIUM: tree-wide: add logformat expressions wrapper") --- src/http_act.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/http_act.c b/src/http_act.c index 0a4d67cea..2adf6fcca 100644 --- a/src/http_act.c +++ b/src/http_act.c @@ -2005,6 +2005,8 @@ static enum act_parse_ret parse_http_set_map(const char **args, int *orig_arg, s } rule->action_ptr = http_action_set_map; rule->release_ptr = release_http_map; + lf_expr_init(&rule->arg.map.key); + lf_expr_init(&rule->arg.map.value); cur_arg = *orig_arg; if (rule->action == 1 && (!*args[cur_arg] || !*args[cur_arg+1])) { @@ -2040,7 +2042,6 @@ static enum act_parse_ret parse_http_set_map(const char **args, int *orig_arg, s } /* key pattern */ - lf_expr_init(&rule->arg.map.key); if (!parse_logformat_string(args[cur_arg], px, &rule->arg.map.key, LOG_OPT_NONE, cap, err)) { free(rule->arg.map.ref); return ACT_RET_PRS_ERR; @@ -2049,7 +2050,6 @@ static enum act_parse_ret parse_http_set_map(const char **args, int *orig_arg, s if (rule->action == 1) { /* value pattern for set-map only */ cur_arg++; - lf_expr_init(&rule->arg.map.value); if (!parse_logformat_string(args[cur_arg], px, &rule->arg.map.value, LOG_OPT_NONE, cap, err)) { free(rule->arg.map.ref); return ACT_RET_PRS_ERR;