Welcome! Log In Create A New Profile

Advanced

[PATCH] BUG/MAJOR: map: fix a segfault when using http-request set-map

Posted by William Lallemand 
The bug happens with an existing entry, when you try to overwrite the
value with wrong data, for example, a string when the type is INT.

The code path was not secure and tried to set *err and *merr while
err = merr = NULL when performing an http action.

Must be backported in 1.6, 1.7, 1.8.
---
src/pattern.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/pattern.c b/src/pattern.c
index 2eb826501..35c1c7e80 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -1815,12 +1815,14 @@ int pat_ref_set(struct pat_ref *ref, const char *key, const char *value, char **
list_for_each_entry(elt, &ref->head, list) {
if (strcmp(key, elt->pattern) == 0) {
if (!pat_ref_set_elt(ref, elt, value, merr)) {
- if (!found)
- *err = *merr;
- else {
- memprintf(err, "%s, %s", *err, *merr);
- free(*merr);
- *merr = NULL;
+ if (err && merr) {
+ if (!found) {
+ *err = *merr;
+ } else {
+ memprintf(err, "%s, %s", *err, *merr);
+ free(*merr);
+ *merr = NULL;
+ }
}
}
found = 1;
--
2.16.1
On Mon, Jun 11, 2018 at 10:53:46AM +0200, William Lallemand wrote:
> The bug happens with an existing entry, when you try to overwrite the
> value with wrong data, for example, a string when the type is INT.
(...)

Applied, thank you William!
Willy
Sorry, only registered users may post in this forum.

Click here to login