From 5472aa50f190d56f1e632df92064ff6fed416f48 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sat, 24 Oct 2020 12:57:41 +0200 Subject: [PATCH] BUG/MEDIUM: queue: fix unsafe proxy pointer when counting nbpend As reported by Coverity in issue #917, commit 96bca33 ("OPTIM: queue: decrement the nbpend and totpend counters outside of the lock") introduced a bug when moving the increments outside of the loop, because we can't always rely on the pendconn "p" here as it may be null. We can retrieve the proxy pointer directly from s->proxy instead. The same is true for pendconn_redistribute(), though the last "p" pointer there was still valid. This patch fixes both. No backport is needed, this was introduced just before 2.3-dev8. --- src/queue.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/queue.c b/src/queue.c index bd95472d4..19b99a5f6 100644 --- a/src/queue.c +++ b/src/queue.c @@ -465,8 +465,8 @@ int pendconn_redistribute(struct server *s) xferred++; } if (xferred) { - _HA_ATOMIC_SUB(&p->srv->nbpend, xferred); - _HA_ATOMIC_SUB(&p->px->totpend, xferred); + _HA_ATOMIC_SUB(&s->nbpend, xferred); + _HA_ATOMIC_SUB(&s->proxy->totpend, xferred); } return xferred; } @@ -508,8 +508,8 @@ int pendconn_grab_from_px(struct server *s) } HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &s->proxy->lock); if (xferred) { - _HA_ATOMIC_SUB(&p->px->nbpend, xferred); - _HA_ATOMIC_SUB(&p->px->totpend, xferred); + _HA_ATOMIC_SUB(&s->proxy->nbpend, xferred); + _HA_ATOMIC_SUB(&s->proxy->totpend, xferred); } return xferred; }