From 0622f02b5aac4ae104f809a6beb836ccecef9a60 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 12 Apr 2017 22:32:04 +0200 Subject: [PATCH] BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error If make_arg_list() fails to process an argument after having queued an unresolvable one, it frees the allocated argument list but doesn't remove the referenced args from the arg list. This causes a use after free or a double free if the same location was reused, during the deinit phase upon exit after reporting the error. Since it's not easy to properly unlinked all elements, we only release the args block if none of them was queued in the list. --- src/arg.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/arg.c b/src/arg.c index ca914fa..52977b7 100644 --- a/src/arg.c +++ b/src/arg.c @@ -104,6 +104,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp, char *word = NULL; const char *ptr_err = NULL; int min_arg; + struct arg_list *new_al = al; *argp = NULL; @@ -165,7 +166,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp, * parsing then resolved later. */ arg->unresolved = 1; - arg_list_add(al, arg, pos); + new_al = arg_list_add(al, arg, pos); /* fall through */ case ARGT_STR: @@ -282,7 +283,12 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp, err: free(word); - free(*argp); + if (new_al == al) { + /* only free the arg area if we have not queued unresolved args + * still pointing to it. + */ + free(*argp); + } *argp = NULL; if (err_arg) *err_arg = pos; -- 1.7.10.4