From f7a04b428a47edeabfe40bf1a48a85b03c105633 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 1 Sep 2025 15:04:18 +0200 Subject: [PATCH] BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server When "check-alpn" parameter is inherited from the default server, the value is not duplicated, the pointer of the default server is used. However, when this parameter is overridden, the old value is released. So the "check-alpn" value of the default server is released. So it is possible to have a UAF if if another server inherit from the same the default server. To fix the issue, the "check-alpn" parameter must be handled the same way the "alpn" is. The default value is duplicated. So it could be safely released if it is forced on the server line. This patch should fix the issue #3096. It must be backported to all stable versions. --- src/check.c | 2 +- src/server.c | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/check.c b/src/check.c index 3d03d6aa8..c994108ac 100644 --- a/src/check.c +++ b/src/check.c @@ -1574,7 +1574,7 @@ void free_check(struct check *check) } ha_free(&check->pool_conn_name); - + ha_free(&check->alpn_str); task_destroy(check->task); check_release_buf(check, &check->bi); diff --git a/src/server.c b/src/server.c index d4ae2e895..ccaa1665a 100644 --- a/src/server.c +++ b/src/server.c @@ -2901,8 +2901,15 @@ void srv_settings_cpy(struct server *srv, const struct server *src, int srv_tmpl srv->check.use_ssl = src->check.use_ssl; srv->check.port = src->check.port; srv->check.sni = src->check.sni; - srv->check.alpn_str = src->check.alpn_str; - srv->check.alpn_len = src->check.alpn_len; + if (src->check.alpn_str) { + srv->check.alpn_str = malloc(src->check.alpn_len); + if (srv->check.alpn_str) { + memcpy(srv->check.alpn_str, src->check.alpn_str, + src->check.alpn_len); + srv->check.alpn_len = src->check.alpn_len; + } + } + if (!(srv->flags & SRV_F_RHTTP)) srv->check.reuse_pool = src->check.reuse_pool; if (src->check.pool_conn_name)