From 2644f9ddf92975f570788ed7ce5bd585b0e85f28 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 22 May 2026 14:08:27 +0200 Subject: [PATCH] BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref In dict_entry_unref(), the write lock on d->rwlock was only acquired after decrementing the refcount. However, between the decrement and the lock, another thread could increment it by calling dict_insert(). That could lead to a UAF. To fix the issue, the call to HA_ATOMIC_SUB_FETCH is moved inside the write lock. This patch must be backported to all stable versions. --- src/dict.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/dict.c b/src/dict.c index c4c54664e..34689ef77 100644 --- a/src/dict.c +++ b/src/dict.c @@ -117,10 +117,11 @@ void dict_entry_unref(struct dict *d, struct dict_entry *de) if (!de) return; - if (HA_ATOMIC_SUB_FETCH(&de->refcount, 1) != 0) - return; - HA_RWLOCK_WRLOCK(DICT_LOCK, &d->rwlock); + if (HA_ATOMIC_SUB_FETCH(&de->refcount, 1) != 0) { + HA_RWLOCK_WRUNLOCK(DICT_LOCK, &d->rwlock); + return; + } ebpt_delete(&de->value); HA_RWLOCK_WRUNLOCK(DICT_LOCK, &d->rwlock); -- 2.47.3