From bcfe23a7ecb212ca07dfbe20423684944d55e086 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 19 Apr 2017 11:13:48 +0200
Subject: [PATCH] BUG/MEDIUM: acl: proprely release unused args in
 prune_acl_expr()

Stephan Zeisberg reported another dirty abort case which can be triggered
with this simple config (where file "d" doesn't exist) :

    backend b1
        stats  auth a:b
        acl auth_ok http_auth(c) -f d

This issue was brought in 1.5-dev9 by commit 34db108 ("MAJOR: acl: make use
of the new argument parsing framework") when prune_acl_expr() started to
release arguments. The arg pointer is set to NULL but not its length.
Because of this, later in smp_resolve_args(), the argument is still seen
as valid (since only a test on the length is made as in all other places),
and the NULL pointer is dereferenced.

This patch properly clears the lengths to avoid such tests.

This fix needs to be backported to 1.7, 1.6, and 1.5.
---
 src/acl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/acl.c b/src/acl.c
index 93d365851..da62e6c01 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -115,6 +115,7 @@ static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
 		if (arg->type == ARGT_STR || arg->unresolved) {
 			free(arg->data.str.str);
 			arg->data.str.str = NULL;
+			arg->data.str.len = 0;
 			unresolved |= arg->unresolved;
 			arg->unresolved = 0;
 		}