From 6d02b7efe530b2e11ea5c968218360d66a5e1817 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Thu, 12 Jan 2017 15:04:11 +0000
Subject: [PATCH] [Fix] Fix possible memory corruption in redis pool

MFH: true
---
 src/libserver/fuzzy_backend_redis.c |  4 ++--
 src/libserver/redis_pool.c          | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/libserver/fuzzy_backend_redis.c b/src/libserver/fuzzy_backend_redis.c
index 3ecf732e2..0ab646131 100644
--- a/src/libserver/fuzzy_backend_redis.c
+++ b/src/libserver/fuzzy_backend_redis.c
@@ -1296,8 +1296,8 @@ rspamd_fuzzy_backend_update_redis (struct rspamd_fuzzy_backend *bk,
 
 	/* First of all check digest */
 	session->nargs = nargs;
-	session->argv = g_malloc (sizeof (gchar *) * session->nargs);
-	session->argv_lens = g_malloc (sizeof (gsize) * session->nargs);
+	session->argv = g_malloc0 (sizeof (gchar *) * session->nargs);
+	session->argv_lens = g_malloc0 (sizeof (gsize) * session->nargs);
 
 	up = rspamd_upstream_get (backend->write_servers,
 			RSPAMD_UPSTREAM_MASTER_SLAVE,
diff --git a/src/libserver/redis_pool.c b/src/libserver/redis_pool.c
index cf64c3efe..4e1a788ad 100644
--- a/src/libserver/redis_pool.c
+++ b/src/libserver/redis_pool.c
@@ -140,7 +140,10 @@ rspamd_redis_pool_conn_dtor (struct rspamd_redis_pool_connection *conn)
 	}
 
 
-	g_list_free (conn->entry);
+	if (conn->entry) {
+		g_list_free (conn->entry);
+	}
+
 	g_slice_free1 (sizeof (*conn), conn);
 }
 
@@ -344,16 +347,18 @@ rspamd_redis_pool_connect (struct rspamd_redis_pool *pool,
 			conn_entry = g_queue_pop_head_link (elt->inactive);
 			conn = conn_entry->data;
 
-			if (event_get_base (&conn->timeout)) {
-				event_del (&conn->timeout);
-			}
-
 			if (conn->ctx->err == REDIS_OK) {
+				if (event_get_base (&conn->timeout)) {
+					event_del (&conn->timeout);
+				}
+
 				conn->active = TRUE;
 				g_queue_push_tail_link (elt->active, conn_entry);
 				msg_debug_rpool ("reused existing connection to %s:%d", ip, port);
 			}
 			else {
+				g_list_free (conn->entry);
+				conn->entry = NULL;
 				REF_RELEASE (conn);
 				conn = rspamd_redis_pool_new_connection (pool, elt,
 						db, password, ip, port);
-- 
2.39.5