From b28ded19a496b522568285831555748da0d40615 Mon Sep 17 00:00:00 2001
From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Wed, 5 Apr 2023 16:18:40 +0200
Subject: [PATCH] BUG/MINOR: errors: invalid use of memprintf in
 startup_logs_init()

On startup/reload, startup_logs_init() will try to export startup logs shm
filedescriptor through the internal HAPROXY_STARTUPLOGS_FD env variable.

While memprintf() is used to prepare the string to be exported via
setenv(), str_fd argument (first argument passed to memprintf()) could
be non NULL as a result of HAPROXY_STARTUPLOGS_FD env variable being
already set.

Indeed: str_fd is already used earlier in the function to store the result
of getenv("HAPROXY_STARTUPLOGS_FD").

The issue here is that memprintf() is designed to free the 'out' argument
if out != NULL, and here we don't expect str_fd to be freed since it was
provided by getenv() and would result in memory violation.

To prevent any invalid free, we must ensure that str_fd is set to NULL
prior to calling memprintf().

This must be backported in 2.7 with eba6a54cd4 ("MINOR: logs: startup-logs
can use a shm for logging the reload")
---
 src/errors.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/errors.c b/src/errors.c
index 8221adb0e..ba4b8ced5 100644
--- a/src/errors.c
+++ b/src/errors.c
@@ -145,6 +145,7 @@ void startup_logs_init()
 		if (!r)
 			goto error;
 
+		str_fd = NULL;
 		memprintf(&str_fd, "%d", fd);
 		setenv("HAPROXY_STARTUPLOGS_FD", str_fd, 1);
 		ha_free(&str_fd);