From cd03be73d59ad2c5d9ad43b28a1b0fda9f32526c Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 12 Mar 2021 12:00:14 +0100 Subject: [PATCH] BUG/MINOR: tcpcheck: Fix double free on error path when parsing tcp/http-check When a "tcp-check" or a "http-check" rule is parsed, we try to get the previous rule in the ruleset to get its index. We must take care to reset the pointer on this rule in case an error is triggered later on the parsing. Otherwise, the same rule may be released twice. For instance, it happens with such line : http-check meth GET uri / ## note there is no "send" parameter This patch must be backported as far as 2.2. --- src/tcpcheck.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/tcpcheck.c b/src/tcpcheck.c index 535c82c89..55ecd2383 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -3708,6 +3708,7 @@ static int proxy_parse_tcpcheck(char **args, int section, struct proxy *curpx, if (!LIST_ISEMPTY(&rs->rules)) { chk = LIST_PREV(&rs->rules, typeof(chk), list); index = chk->index + 1; + chk = NULL; } cur_arg = 1; @@ -3809,6 +3810,7 @@ static int proxy_parse_httpcheck(char **args, int section, struct proxy *curpx, chk = LIST_PREV(&rs->rules, typeof(chk), list); if (chk->action != TCPCHK_ACT_SEND || !(chk->send.http.flags & TCPCHK_SND_HTTP_FROM_OPT)) index = chk->index + 1; + chk = NULL; } if (strcmp(args[cur_arg], "connect") == 0)