From c130f74803bc8bb40a748f734b7e150b3a23daa7 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 20 Mar 2024 11:25:31 +0100
Subject: [PATCH] BUG/MINOR: session: ensure conn owner is set after insert
 into session

A crash could occured if a session_add_conn() would temporarily failed
when called via h2_detach(). In this case, connection owner is reset to
NULL. However, if this wasn't the last connection stream, the connection
won't be destroyed. When h2_detach() is recalled for another stream and
this time session_add_conn() succeeds, a crash will occur due to
session_check_idle_conn() invocation with a NULL connection owner.

To fix this, ensure connection owner is always set after
session_add_conn() success.

This bug is considered as minor as the only failure reason for
session_add_conn() is a pool allocation issue.

This should be backported up to all stable releases.
---
 include/haproxy/session.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/haproxy/session.h b/include/haproxy/session.h
index 0a73e74c3..d9ff726a9 100644
--- a/include/haproxy/session.h
+++ b/include/haproxy/session.h
@@ -206,6 +206,12 @@ static inline int session_add_conn(struct session *sess, struct connection *conn
 			MT_LIST_APPEND(&srv->sess_conns, &pconns->srv_el);
 	}
 	LIST_APPEND(&pconns->conn_list, &conn->sess_el);
+
+	/* Ensure owner is set for connection. It could have been resetted
+	 * prior on after a session_add_conn() failure.
+	 */
+	conn->owner = sess;
+
 	return 1;
 }