[BUG] session: risk of crash on out of memory (1.5-dev regression)

Patch af5149 introduced an issue which can be detected only on out of
memory conditions : a LIST_DEL() may be performed on an uninitialized
struct member instead of a LIST_INIT() during the accept() phase,
causing crashes and memory corruption to occur.

This issue was detected and diagnosed by the Exceliance R&D team.

This is 1.5-specific and very recent, so no existing deployment should
be impacted.

include/proto/session.h

@@ -240,6 +240,12 @@ static void inline session_del_srv_conn(struct session *sess)
 	LIST_DEL(&sess->by_srv);
 }
 
+static void inline session_init_srv_conn(struct session *sess)
+{
+	sess->srv_conn = NULL;
+	LIST_INIT(&sess->by_srv);
+}
+
 #endif /* _PROTO_SESSION_H */
 
 /*

src/peers.c

@@ -1185,7 +1185,7 @@ static struct session *peer_session_create(struct peer *peer, struct peer_sessio
 	stream_sock_prepare_interface(&s->si[1]);
 	s->si[1].release = NULL;
 
-	session_del_srv_conn(s);
+	session_init_srv_conn(s);
 	clear_target(&s->target);
 	s->pend_pos = NULL;
 

src/session.c

@@ -201,7 +201,7 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
 	if (likely(s->fe->options2 & PR_O2_INDEPSTR))
 		s->si[1].flags |= SI_FL_INDEP_STR;
 
-	session_del_srv_conn(s);
+	session_init_srv_conn(s);
 	clear_target(&s->target);
 	s->pend_pos = NULL;