From aba507334b471e5b5d0044a74d7177b29491637f Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Tue, 16 Feb 2021 15:16:17 +0100 Subject: [PATCH] BUG/MAJOR: connection: prevent double free if conn selected for removal Always try to remove a connexion from its toremove_list in conn_free. This prevents a double-free in case the connection is freed but was already added in toremove_list. This bug was easily reproduced by running 4-5 runs of inject on a single-thread instance of haproxy : $ inject -u 10000 -d 10 -G 127.0.0.1:20080 A crash would soon be triggered in srv_cleanup_toremove_connections. This does not need to be backported. --- include/haproxy/connection.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h index a7a83b1c0..8ff8a2e0b 100644 --- a/include/haproxy/connection.h +++ b/include/haproxy/connection.h @@ -504,6 +504,14 @@ static inline void conn_free(struct connection *conn) srv_release_conn(__objt_server(conn->target), conn); } + /* Remove the conn from toremove_list. + * + * This is needed to prevent a double-free in case the connection was + * already scheduled from cleaning but is freed before via another + * call. + */ + MT_LIST_DEL(&conn->toremove_list); + sockaddr_free(&conn->src); sockaddr_free(&conn->dst);