mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: mux-quic: properly release conn-stream on detach

Browse Source 
On qc_detach(), the qcs must cleared the conn-stream context and set its
cs pointer to NULL. This prevents the qcs to point to a dangling
reference.

Without this, a SEGFAULT may occurs in qc_wake_some_streams() when
accessing an already detached conn-stream instance through a qcs.

Here is the SEGFAULT observed on haproxy.org.
 Program terminated with signal 11, Segmentation fault.
 1234                            else if (qcs->cs->data_cb->wake) {
 (gdb) p qcs.cs.data_cb
 $1 = (const struct data_cb *) 0x0

This can happens since the following patch :
 commit fe035eca3a24ea0f031fdcdad23809bea5de32e4
 MEDIUM: mux-quic: report errors on conn-streams
This commit is contained in:
Amaury Denoyelle 2022-04-08 12:00:12 +02:00
parent 9c3955c98c
commit 8038821c88
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/mux_quic.c
View File

@ -1061,6 +1061,8 @@ static void qc_detach(struct conn_stream *cs)
TRACE_ENTER(QMUX_EV_STRM_END, qcc->conn, qcs);
cs->ctx = NULL;
qcs->cs = NULL;
--qcc->nb_cs;
if ((b_data(&qcs->tx.buf) || qcs->tx.offset > qcs->tx.sent_offset) &&