mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 13:51:26 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: connection: prevent double free if conn selected for removal

Browse Source 
Always try to remove a connexion from its toremove_list in conn_free.
This prevents a double-free in case the connection is freed but was
already added in toremove_list.

This bug was easily reproduced by running 4-5 runs of inject on a
single-thread instance of haproxy :

$ inject -u 10000 -d 10 -G 127.0.0.1:20080

A crash would soon be triggered in srv_cleanup_toremove_connections.

This does not need to be backported.
This commit is contained in:
Amaury Denoyelle 2021-02-16 15:16:17 +01:00
parent 267221557f
commit aba507334b
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/haproxy/connection.h
View File

@ -504,6 +504,14 @@ static inline void conn_free(struct connection *conn)
srv_release_conn(__objt_server(conn->target), conn); srv_release_conn(__objt_server(conn->target), conn);
} }
/* Remove the conn from toremove_list.
*
* This is needed to prevent a double-free in case the connection was
* already scheduled from cleaning but is freed before via another
* call.
*/
MT_LIST_DEL(&conn->toremove_list);
sockaddr_free(&conn->src); sockaddr_free(&conn->src);
sockaddr_free(&conn->dst); sockaddr_free(&conn->dst);