From 6cfc8516741c57fb9f879b364568cfa79a6b42a1 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 9 Sep 2020 16:09:44 +0200 Subject: [PATCH] BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned It must be done to expire patterns cached in the LRU cache. Otherwise it is possible to retrieve an already freed pattern, attached to a released pattern expression. When a specific pattern is deleted (->delete() callback), the pattern expression revision is already renewed. Thus it is not affected by this bug. Only prune action on the pattern expression is concerned. In addition, for a pattern expression, in ->prune() callbacks when the pattern list is released, a missing LIST_DEL() has been added. It is not a real issue because the list is reinitialized at the end and all elements are released and should never be reused. But it is less confusing this way. This bug may be triggered when a map is cleared from the cli socket. A workaround is to set the pattern cache size (tune.pattern.cache-size) to 0 to disable it. This patch should fix the issue #844. It must be backported to all supported versions. --- src/pattern.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/pattern.c b/src/pattern.c index a404ac34d..5de9de1ab 100644 --- a/src/pattern.c +++ b/src/pattern.c @@ -1093,6 +1093,7 @@ void pat_prune_val(struct pattern_expr *expr) struct pattern_list *pat, *tmp; list_for_each_entry_safe(pat, tmp, &expr->patterns, list) { + LIST_DEL(&pat->list); free(pat->pat.data); free(pat); } @@ -1100,6 +1101,7 @@ void pat_prune_val(struct pattern_expr *expr) free_pattern_tree(&expr->pattern_tree); free_pattern_tree(&expr->pattern_tree_2); LIST_INIT(&expr->patterns); + expr->revision = rdtsc(); } void pat_prune_ptr(struct pattern_expr *expr) @@ -1107,6 +1109,7 @@ void pat_prune_ptr(struct pattern_expr *expr) struct pattern_list *pat, *tmp; list_for_each_entry_safe(pat, tmp, &expr->patterns, list) { + LIST_DEL(&pat->list); free(pat->pat.ptr.ptr); free(pat->pat.data); free(pat); @@ -1115,6 +1118,7 @@ void pat_prune_ptr(struct pattern_expr *expr) free_pattern_tree(&expr->pattern_tree); free_pattern_tree(&expr->pattern_tree_2); LIST_INIT(&expr->patterns); + expr->revision = rdtsc(); } void pat_prune_reg(struct pattern_expr *expr) @@ -1122,6 +1126,7 @@ void pat_prune_reg(struct pattern_expr *expr) struct pattern_list *pat, *tmp; list_for_each_entry_safe(pat, tmp, &expr->patterns, list) { + LIST_DEL(&pat->list); regex_free(pat->pat.ptr.ptr); free(pat->pat.data); free(pat); @@ -1130,6 +1135,7 @@ void pat_prune_reg(struct pattern_expr *expr) free_pattern_tree(&expr->pattern_tree); free_pattern_tree(&expr->pattern_tree_2); LIST_INIT(&expr->patterns); + expr->revision = rdtsc(); } /*