mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-09 16:47:18 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: connection: properly unregister the mux on failed initialization

Browse Source 
When mux->init() fails, session_free() will call it again to unregister
it while it was already done, resulting in null derefs or use-after-free.
This typically happens on out-of-memory conditions during H1 or H2 connection
or stream allocation.

This fix must be backported to 1.9.
This commit is contained in:
Willy Tarreau 2019-01-10 10:33:32 +01:00
parent ada5d09142
commit 762475e1f9
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/proto/connection.h
View File

@ -832,9 +832,16 @@ static inline struct wait_event *wl_set_waitcb(struct wait_event *wl, struct tas
static inline int conn_install_mux(struct connection *conn, const struct mux_ops *mux,
void *ctx, struct proxy *prx, struct session *sess)
{
int ret;
conn->mux = mux;
conn->ctx = ctx;
return mux->init ? mux->init(conn, prx, sess) : 0;
ret = mux->init ? mux->init(conn, prx, sess) : 0;
if (ret < 0) {
conn->mux = NULL;
conn->ctx = NULL;
}
return ret;
}
/* returns a human-readable error code for conn->err_code, or NULL if the code