From 6218b8cf17f4fd8b7f52ba1edcba267704555336 Mon Sep 17 00:00:00 2001 From: Eduardo Silva Date: Thu, 4 Dec 2025 17:18:10 -0600 Subject: [PATCH] in_forward: fix segfault and double-free in trace path handling - Incomplete error check: only checked ret == -1, but ctr_decode_msgpack_create() can return other error codes. When ctr is NULL on error, this caused NULL pointer dereference. - Double-free: called ctr_decode_msgpack_destroy() after successful flb_input_trace_append(), but that function takes ownership and destroys the context internally. Signed-off-by: Eduardo Silva --- plugins/in_forward/fw_prot.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/in_forward/fw_prot.c b/plugins/in_forward/fw_prot.c index f69bff5e65b..433b7dd98b1 100644 --- a/plugins/in_forward/fw_prot.c +++ b/plugins/in_forward/fw_prot.c @@ -1163,8 +1163,8 @@ static int append_log(struct flb_input_instance *ins, struct fw_conn *conn, else if (event_type == FLB_EVENT_TYPE_TRACES) { off = 0; ret = ctr_decode_msgpack_create(&ctr, (char *) data, len, &off); - if (ret == -1) { - flb_error("could not decode trace message. ret=%d", ret); + if (ret != CTR_DECODE_MSGPACK_SUCCESS) { + flb_plg_error(ins, "could not decode trace message. ret=%d", ret); return -1; } @@ -1176,7 +1176,7 @@ static int append_log(struct flb_input_instance *ins, struct fw_conn *conn, ctr_decode_msgpack_destroy(ctr); return -1; } - ctr_decode_msgpack_destroy(ctr); + /* Note: flb_input_trace_append takes ownership of ctr and destroys it on success */ } return 0;