From e2f7946339b539035b64f23912a227af98e4a609 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 20 Mar 2023 19:45:41 +0100 Subject: [PATCH] BUG/MEDIUM: stconn: don't set the type before allocation succeeds There's an occasional crash that can be triggered in sc_detach_endp() when calling conn->mux->detach() upon memory allocation error. The problem in fact comes from sc_attach_mux(), which doesn't reset the sc type flags upon tasklet allocation failure, leading to an attempt at detaching an incompletely initialized stconn. Let's just attach the sc after the tasklet allocation succeeds, not before. This must be backported to 2.6. --- src/stconn.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/stconn.c b/src/stconn.c index 39299b19a..e1266a4eb 100644 --- a/src/stconn.c +++ b/src/stconn.c @@ -256,12 +256,6 @@ int sc_attach_mux(struct stconn *sc, void *sd, void *ctx) struct connection *conn = ctx; struct sedesc *sedesc = sc->sedesc; - sedesc->se = sd; - sedesc->conn = ctx; - se_fl_set(sedesc, SE_FL_T_MUX); - se_fl_clr(sedesc, SE_FL_DETACHED); - if (!conn->ctx) - conn->ctx = sc; if (sc_strm(sc)) { if (!sc->wait_event.tasklet) { sc->wait_event.tasklet = tasklet_new(); @@ -286,6 +280,13 @@ int sc_attach_mux(struct stconn *sc, void *sd, void *ctx) sc->app_ops = &sc_app_check_ops; } + + sedesc->se = sd; + sedesc->conn = ctx; + se_fl_set(sedesc, SE_FL_T_MUX); + se_fl_clr(sedesc, SE_FL_DETACHED); + if (!conn->ctx) + conn->ctx = sc; return 0; }