From a93eac41f0e9143daccd852c4a26003b5cd4e036 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Thu, 20 Oct 2022 18:36:03 +0200
Subject: [PATCH] BUG/MEDIUM: httpclient: check if the httpclient was released
 in the IO handler

Upon a applet_release(), the applet can be scheduled again and a call to
the IO handler is still possible. When the struct httpclient is already
free the IO handler could try to access it.

This patch fixes the issue by setting svcctx to NULL in the
applet_release, and checking its value in the IO handler.

Must be backported as far as 2.5.
---
 src/http_client.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/http_client.c b/src/http_client.c
index 2f9bac555..92a4ed6dd 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -707,6 +707,11 @@ static void httpclient_applet_io_handler(struct appctx *appctx)
 	uint32_t sz;
 	int ret;
 
+	/* The IO handler could be called after the release, so we need to
+	 * check if hc is still there to run the IO handler */
+	if (!hc)
+		return;
+
 	while (1) {
 
 		/* required to stop */
@@ -1115,6 +1120,10 @@ static void httpclient_applet_release(struct appctx *appctx)
 		httpclient_destroy(hc);
 	}
 
+	/* be sure not to use this ptr anymore if the IO handler is called a
+	 * last time */
+	appctx->svcctx = NULL;
+
 	return;
 }