On 19/04/2017 12:13 μμ, Willy Tarreau wrote: > Hi all, > > Stephan (in Cc) reported me two nice segfaults in the config parser when > feeding haproxy with some horribly fuzzed invalid configurations. To make > it clear, it happens only when haproxy *fails* to start due to an error. > But it's not a reason for failing the dirty way. Every time it was a > problem in smp_resolve_args() which is used to resolve acl args. > > The root cause of the issue is that there are certain types of errors > where it's very tricky to unroll what has been started (eg: add multiple > keywords to a list then you have to remove them and exactly them, taking > care not to free a shared memory are if at least one remains because this > one will be freed later), etc. > > The first bug was a use-after-free causing all sort of random things like > memory corruption or an infinite loop when trying to exit, which can be a > problem for those aggregating configs from customers. The second one was > a "more conventional" null dereference. I could fix both of them but I > realized that the deeper reason is that we try to perform all the cross- > reference checks after we've met such errors, which doesn't make sense > and even causes some absurd errors to be reported. So I wrote the simple > patch below for 1.8 and I think it would make sense to backport this into > earlier versions to make everyone's life easier. It would also make the > parser much more robust against such issues in the future. > > Now the question is : this is not a bug fix but a small improvement which > may have some impact on those being used to read error reports, so does > anyone have any objection against this being backported (if so to regarding > a specific version maybe) ? >
I also believe that it should be backported at least to 1.7 version[1]. It makes the output more clear and squeaks only the relevant bad config lines. Cheers, Pavlos [1] IMHO: Users of 1.5 version should upgrade to 1.7, I don't see any valid reason to stay on 1.5. From my personal experience I can tell that 1.7 version is a rock solid release.
signature.asc
Description: OpenPGP digital signature