From a220e59ad8dd44cd71484ab5a207ed08f219c737 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 21 Mar 2023 10:44:44 +0100 Subject: [PATCH] BUG/MEDIUM: mux-h1: properly destroy a partially allocated h1s In h1c_frt_stream_new() and h1c_bck_stream_new(), if we fail to completely initialize the freshly allocated h1s, typically because sc_attach_mux() fails, we must use h1s_destroy() to de-initialize it. Otherwise it stays attached to the h1c when released, causing use-after-free upon the next wakeup. This can be triggered upon memory shortage. This needs to be backported to 2.6. --- src/mux_h1.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index 697924a16..20f7a1239 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -305,6 +305,7 @@ struct task *h1_timeout_task(struct task *t, void *context, unsigned int state); static void h1_shutw_conn(struct connection *conn); static void h1_wake_stream_for_recv(struct h1s *h1s); static void h1_wake_stream_for_send(struct h1s *h1s); +static void h1s_destroy(struct h1s *h1s); /* returns the stconn associated to the H1 stream */ static forceinline struct stconn *h1s_sc(const struct h1s *h1s) @@ -803,7 +804,7 @@ static struct h1s *h1c_frt_stream_new(struct h1c *h1c, struct stconn *sc, struct fail: TRACE_DEVEL("leaving on error", H1_EV_STRM_NEW|H1_EV_STRM_ERR, h1c->conn); - pool_free(pool_head_h1s, h1s); + h1s_destroy(h1s); return NULL; } @@ -837,7 +838,7 @@ static struct h1s *h1c_bck_stream_new(struct h1c *h1c, struct stconn *sc, struct fail: TRACE_DEVEL("leaving on error", H1_EV_STRM_NEW|H1_EV_STRM_ERR, h1c->conn); - pool_free(pool_head_h1s, h1s); + h1s_destroy(h1s); return NULL; }