]> git.kaiwu.me - haproxy.git/commit
BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref
authorChristopher Faulet <cfaulet@haproxy.com>
Fri, 22 May 2026 12:08:27 +0000 (14:08 +0200)
committerChristopher Faulet <cfaulet@haproxy.com>
Fri, 22 May 2026 15:17:01 +0000 (17:17 +0200)
commit2644f9ddf92975f570788ed7ce5bd585b0e85f28
treec88f0b8da844630482ced31e5e9c05fb23ede66d
parent7cab3a3c3a439a221d125654e1d9302ad949aed6
BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref

In dict_entry_unref(), the write lock on d->rwlock was only acquired after
decrementing the refcount. However, between the decrement and the lock,
another thread could increment it by calling dict_insert(). That could lead
to a UAF.

To fix the issue, the call to HA_ATOMIC_SUB_FETCH is moved inside the write
lock.

This patch must be backported to all stable versions.
src/dict.c