From 32b9e97f9207c2d57dee1d6842f7b9ee52fb3c76 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 11 Apr 2024 11:05:02 +0200 Subject: [PATCH] BUG/MINOR: guid: fix crash on invalid guid name Using an invalid GUID for guid_insert() causes a crash. This is easily reproducible using for example an invalid character with "guid" keyword. Here is the provided backtrace : Thread 1 "haproxy" received signal SIGSEGV, Segmentation fault. 0x00005555561fda95 in guid_insert (objt=0x520000002080, uid=0x519000002dac "@foo2", errmsg=0x7ffff4c0a7a0) at src/guid.c:83 83 ha_free(&guid->node.key); This error is present in guid_insert() cleanup parts. GUID node is not allocated in case of an early error so it's impossible to dereference it to free guid.node.key. Fix this simply by using an intermediary pointer key. This does not need to be backported. --- src/guid.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/guid.c b/src/guid.c index 1f56ec9ba..d3773d4a4 100644 --- a/src/guid.c +++ b/src/guid.c @@ -28,6 +28,7 @@ int guid_insert(enum obj_type *objt, const char *uid, char **errmsg) struct guid_node *guid = NULL; struct guid_node *dup; struct ebpt_node *node; + char *key = NULL; char *dup_name = NULL; const char *c; @@ -61,12 +62,13 @@ int guid_insert(enum obj_type *objt, const char *uid, char **errmsg) return 0; } - guid->node.key = strdup(uid); - if (!guid->node.key) { + key = strdup(uid); + if (!key) { memprintf(errmsg, "key alloc failure"); goto err; } + guid->node.key = key; node = ebis_insert(&guid_tree, &guid->node); if (node != &guid->node) { dup = ebpt_entry(node, struct guid_node, node); @@ -79,8 +81,7 @@ int guid_insert(enum obj_type *objt, const char *uid, char **errmsg) return 0; err: - ALREADY_CHECKED(guid); - ha_free(&guid->node.key); + ha_free(&key); ha_free(&dup_name); return 1; }