From 27ff7ff296dec073e84cf03106a3e285181c24d8 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 4 Sep 2025 16:35:49 +0200 Subject: [PATCH] BUG/MEDIUM: conn: fix UAF on connection after reversal on edge When a connection is reversed, some elements must be resetted prior to reusing it. Most notably, connection must be removed from lists specific on frontend/backend sides. When reverse was performed for frontend to backend side, connection was not removed via its attach point. On previous releases, this did not cause any issue. However, crashes start to occur recently, probably due to the recent reorganization of connection list attach points from the following patch. commit a96f1286a75246fef6db3e615fabdef1de927d83 BUG/MINOR: connection: rearrange union list members To fix this, simply ensure that detach is performed via conn_reverse(). This patch must be backported up to 3.0 release. --- src/connection.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/connection.c b/src/connection.c index e3e5040ba..15fac3126 100644 --- a/src/connection.c +++ b/src/connection.c @@ -2961,6 +2961,8 @@ int conn_reverse(struct connection *conn) struct server *srv = objt_server(conn->reverse.target); BUG_ON(!srv); + LIST_DEL_INIT(&conn->stopping_list); + if (conn_backend_init(conn)) return 1;