From 681e49db491a05fe48704c68f79d188f1d5199fb Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 6 Dec 2013 15:30:05 +0100 Subject: [PATCH] BUG/MEDIUM: args: fix double free on error path in argument expression parser William Lallemand reported a double free on the args parser used in fetches and ACLs. The cause is that the arg expression is not fully initialized nor deinitialized when killed and that one of the pointers was already freed once in certain error conditions. Simply set it to NULL after the first call to free(). The bug was apparently introduced in 1.5-dev9 with commit 2ac5718 (MEDIUM: add a new typed argument list parsing framework). --- src/arg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/arg.c b/src/arg.c index 1bf6444d3..e7bed1ed9 100644 --- a/src/arg.c +++ b/src/arg.c @@ -290,6 +290,7 @@ int make_arg_list(const char *in, int len, unsigned int mask, struct arg **argp, err: free(word); free(*argp); + *argp = NULL; if (err_arg) *err_arg = pos; if (err_ptr)