From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 9 Sep 2020 14:09:44 +0000 (+0200)
Subject: BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned
X-Git-Tag: v2.1.9~21
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=d109ed649ba0afa14db5601d1f316f8b2e47dc4a;p=haproxy-2.1.git

BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned

It must be done to expire patterns cached in the LRU cache. Otherwise it is
possible to retrieve an already freed pattern, attached to a released pattern
expression.

When a specific pattern is deleted (->delete() callback), the pattern expression
revision is already renewed. Thus it is not affected by this bug. Only prune
action on the pattern expression is concerned.

In addition, for a pattern expression, in ->prune() callbacks when the pattern
list is released, a missing LIST_DEL() has been added. It is not a real issue
because the list is reinitialized at the end and all elements are released and
should never be reused. But it is less confusing this way.

This bug may be triggered when a map is cleared from the cli socket. A
workaround is to set the pattern cache size (tune.pattern.cache-size) to 0 to
disable it.

This patch should fix the issue #844. It must be backported to all supported
versions.

(cherry picked from commit 6cfc8516741c57fb9f879b364568cfa79a6b42a1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit d585ffd50c020529c145a680aae87363ded00c13)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/pattern.c b/src/pattern.c
index 9132bc3..06773f5 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -1095,6 +1095,7 @@ void pat_prune_val(struct pattern_expr *expr)
 	struct pattern_list *pat, *tmp;
 
 	list_for_each_entry_safe(pat, tmp, &expr->patterns, list) {
+		LIST_DEL(&pat->list);
 		free(pat->pat.data);
 		free(pat);
 	}
@@ -1102,6 +1103,7 @@ void pat_prune_val(struct pattern_expr *expr)
 	free_pattern_tree(&expr->pattern_tree);
 	free_pattern_tree(&expr->pattern_tree_2);
 	LIST_INIT(&expr->patterns);
+	expr->revision = rdtsc();
 }
 
 void pat_prune_ptr(struct pattern_expr *expr)
@@ -1109,6 +1111,7 @@ void pat_prune_ptr(struct pattern_expr *expr)
 	struct pattern_list *pat, *tmp;
 
 	list_for_each_entry_safe(pat, tmp, &expr->patterns, list) {
+		LIST_DEL(&pat->list);
 		free(pat->pat.ptr.ptr);
 		free(pat->pat.data);
 		free(pat);
@@ -1117,6 +1120,7 @@ void pat_prune_ptr(struct pattern_expr *expr)
 	free_pattern_tree(&expr->pattern_tree);
 	free_pattern_tree(&expr->pattern_tree_2);
 	LIST_INIT(&expr->patterns);
+	expr->revision = rdtsc();
 }
 
 void pat_prune_reg(struct pattern_expr *expr)
@@ -1124,6 +1128,7 @@ void pat_prune_reg(struct pattern_expr *expr)
 	struct pattern_list *pat, *tmp;
 
 	list_for_each_entry_safe(pat, tmp, &expr->patterns, list) {
+		LIST_DEL(&pat->list);
 		regex_free(pat->pat.ptr.ptr);
 		free(pat->pat.data);
 		free(pat);
@@ -1132,6 +1137,7 @@ void pat_prune_reg(struct pattern_expr *expr)
 	free_pattern_tree(&expr->pattern_tree);
 	free_pattern_tree(&expr->pattern_tree_2);
 	LIST_INIT(&expr->patterns);
+	expr->revision = rdtsc();
 }
 
 /*