From 9bd0d744efdcd6bb9c910f50af9768e136d830e2 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 20 Jul 2011 00:17:39 +0200 Subject: [PATCH] [BUG] session: risk of crash on out of memory (1.5-dev regression) Patch af5149 introduced an issue which can be detected only on out of memory conditions : a LIST_DEL() may be performed on an uninitialized struct member instead of a LIST_INIT() during the accept() phase, causing crashes and memory corruption to occur. This issue was detected and diagnosed by the Exceliance R&D team. This is 1.5-specific and very recent, so no existing deployment should be impacted. --- include/proto/session.h | 6 ++++++ src/peers.c | 2 +- src/session.c | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/proto/session.h b/include/proto/session.h index 810fe44c5..78a22226b 100644 --- a/include/proto/session.h +++ b/include/proto/session.h @@ -240,6 +240,12 @@ static void inline session_del_srv_conn(struct session *sess) LIST_DEL(&sess->by_srv); } +static void inline session_init_srv_conn(struct session *sess) +{ + sess->srv_conn = NULL; + LIST_INIT(&sess->by_srv); +} + #endif /* _PROTO_SESSION_H */ /* diff --git a/src/peers.c b/src/peers.c index f25328041..47d9fe13d 100644 --- a/src/peers.c +++ b/src/peers.c @@ -1185,7 +1185,7 @@ static struct session *peer_session_create(struct peer *peer, struct peer_sessio stream_sock_prepare_interface(&s->si[1]); s->si[1].release = NULL; - session_del_srv_conn(s); + session_init_srv_conn(s); clear_target(&s->target); s->pend_pos = NULL; diff --git a/src/session.c b/src/session.c index ae720cf34..6e3a52534 100644 --- a/src/session.c +++ b/src/session.c @@ -201,7 +201,7 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr) if (likely(s->fe->options2 & PR_O2_INDEPSTR)) s->si[1].flags |= SI_FL_INDEP_STR; - session_del_srv_conn(s); + session_init_srv_conn(s); clear_target(&s->target); s->pend_pos = NULL;