]> git.kaiwu.me - haproxy.git/commit
BUG/MEDIUM: dict: hold read lock while incrementing refcount in dict_insert
authorWilly Tarreau <w@1wt.eu>
Wed, 13 May 2026 08:57:29 +0000 (10:57 +0200)
committerWilly Tarreau <w@1wt.eu>
Wed, 13 May 2026 11:37:53 +0000 (13:37 +0200)
commitde6a26e3c89da24dea2449f66e21d10a0d3a3131
tree9803956d9b29650e95d7a6d9f0e58dac65cf076a
parent31a3e16e1615e5f9afda86e6d3e7baba9b2246de
BUG/MEDIUM: dict: hold read lock while incrementing refcount in dict_insert

In dict_insert(), the read lock on d->rwlock was released before
incrementing the entry's refcount. Between the RDUNLOCK and the
HA_ATOMIC_INC, another thread could call dict_entry_unref() to drop
the refcount to zero, acquire the write lock, delete the entry from
the tree, and free it. The subsequent HA_ATOMIC_INC would then be a
use-after-free on freed memory.

The fix moves the HA_ATOMIC_INC inside the read lock, matching the
pattern used in stick_table.c for identical refcount-then-unlock
sequences.

It can be backported to the branches where this is relevant.
src/dict.c