From 1c379cad88a5039412df6b35cc39b7ee8b467fa8 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 23 Mar 2026 13:50:17 +0100 Subject: [PATCH] BUG/MINOR: http_htx: fix null deref in http-errors config check http-errors parsing has been refactored in a recent serie of patches. However, a null deref was introduced by the following patch in case a non-existent http-errors section is referenced by an "errorfiles" directive. commit 2ca7601c2d6781f455cf205e4f3b52f5beb16e41 MINOR/OPTIM: http_htx: lookup once http_errors section on check/init Fix this by delaying ha_free() so that it is called after ha_alert(). No need to backport. --- src/http_htx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/http_htx.c b/src/http_htx.c index dc18735e3..bd550be98 100644 --- a/src/http_htx.c +++ b/src/http_htx.c @@ -2352,15 +2352,16 @@ int proxy_check_http_errors(struct proxy *px) } } - ha_free(&conf_err->type.section.name); if (!section_found) { ha_alert("proxy '%s': unknown http-errors section '%s' (at %s:%d).\n", px->id, conf_err->type.section.name, conf_err->file, conf_err->line); + ha_free(&conf_err->type.section.name); err |= ERR_ALERT | ERR_FATAL; continue; } conf_err->type.section.resolved = http_errs; + ha_free(&conf_err->type.section.name); for (rc = 0; rc < HTTP_ERR_SIZE; rc++) { if (conf_err->type.section.status[rc] == HTTP_ERR_IMPORT_EXPLICIT && -- 2.47.3