mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 23:27:04 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: applet: only set appctx->sedesc on successful allocation

Browse Source 
If appctx_new_on() fails to allocate a task, it will not remove the
freshly allocated sedesc from the appctx despite freeing it, causing
a UAF. Let's only assign appctx->sedesc upon success.

This needs to be backported to 2.6. In 2.6 the function is slightly
different and called appctx_new(), though the issue is exactly the
same.
This commit is contained in:
Willy Tarreau 2023-03-21 10:50:51 +01:00
parent a220e59ad8
commit 465a6c8506
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/applet.c
View File

@ -48,6 +48,7 @@ struct appctx *appctx_new_on(struct applet *applet, struct sedesc *sedesc, int t
appctx->obj_type = OBJ_TYPE_APPCTX;
appctx->applet = applet;
appctx->sess = NULL;
appctx->sedesc = NULL;
if (!sedesc) {
sedesc = sedesc_new();
if (!sedesc)
@ -55,11 +56,12 @@ struct appctx *appctx_new_on(struct applet *applet, struct sedesc *sedesc, int t
sedesc->se = appctx;
se_fl_set(sedesc, SE_FL_T_APPLET | SE_FL_ORPHAN);
}
appctx->sedesc = sedesc;
appctx->t = task_new_on(thr);
if (unlikely(!appctx->t))
goto fail_task;
appctx->sedesc = sedesc;
appctx->t->process = task_run_applet;
appctx->t->context = appctx;