BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()

Stephan Zeisberg reported another dirty abort case which can be triggered with this simple config (where file "d" doesn't exist) : backend b1 stats auth a:b acl auth_ok http_auth(c) -f d This issue was brought in 1.5-dev9 by commit 34db108 ("MAJOR: acl: make use of the new argument parsing framework") when prune_acl_expr() started to release arguments. The arg pointer is set to NULL but not its length. Because of this, later in smp_resolve_args(), the argument is still seen as valid (since only a test on the length is made as in all other places), and the NULL pointer is dereferenced. This patch properly clears the lengths to avoid such tests. This fix needs to be backported to 1.7, 1.6, and 1.5.
2025-11-28 14:21:00 +01:00 · 2017-04-19 11:13:48 +02:00 · 2017-04-19 11:13:48 +02:00 · bcfe23a7ec
commit bcfe23a7ec
parent a2278c8bbb
1 changed files with 1 additions and 0 deletions
--- a/src/acl.c
+++ b/src/acl.c
@ -115,6 +115,7 @@ static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
 		if (arg->type == ARGT_STR || arg->unresolved) {
 			free(arg->data.str.str);
 			arg->data.str.str = NULL;
+			arg->data.str.len = 0;
 			unresolved |= arg->unresolved;
 			arg->unresolved = 0;
 		}