From fdabf4954860942d314fe3059a869bed207e78d4 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.com>
Date: Wed, 2 Dec 2020 17:02:09 +0100
Subject: [PATCH] BUG/MAJOR: ring: tcp forward on ring can break the reader
 counter.

If the session is not established, the applet handler could leave
with the applet detached from the ring. At next call, the attach
counter will be decreased again causing unpredectable behavior.

This patch should be backported on branches >=2.2
---
 src/sink.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/sink.c b/src/sink.c
index 4995270e4..a7f689780 100644
--- a/src/sink.c
+++ b/src/sink.c
@@ -348,18 +348,18 @@ static void sink_forward_io_handler(struct appctx *appctx)
 		ofs += ring->ofs;
 	}
 
-	/* we were already there, adjust the offset to be relative to
-	 * the buffer's head and remove us from the counter.
-	 */
-	ofs -= ring->ofs;
-	BUG_ON(ofs >= buf->size);
-	HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
-
 	/* in this loop, ofs always points to the counter byte that precedes
 	 * the message so that we can take our reference there if we have to
 	 * stop before the end (ret=0).
 	 */
 	if (si_opposite(si)->state == SI_ST_EST) {
+		/* we were already there, adjust the offset to be relative to
+		 * the buffer's head and remove us from the counter.
+		 */
+		ofs -= ring->ofs;
+		BUG_ON(ofs >= buf->size);
+		HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
+
 		ret = 1;
 		while (ofs + 1 < b_data(buf)) {
 			cnt = 1;
@@ -488,18 +488,18 @@ static void sink_forward_oc_io_handler(struct appctx *appctx)
 		ofs += ring->ofs;
 	}
 
-	/* we were already there, adjust the offset to be relative to
-	 * the buffer's head and remove us from the counter.
-	 */
-	ofs -= ring->ofs;
-	BUG_ON(ofs >= buf->size);
-	HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
-
 	/* in this loop, ofs always points to the counter byte that precedes
 	 * the message so that we can take our reference there if we have to
 	 * stop before the end (ret=0).
 	 */
 	if (si_opposite(si)->state == SI_ST_EST) {
+		/* we were already there, adjust the offset to be relative to
+		 * the buffer's head and remove us from the counter.
+		 */
+		ofs -= ring->ofs;
+		BUG_ON(ofs >= buf->size);
+		HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
+
 		ret = 1;
 		while (ofs + 1 < b_data(buf)) {
 			cnt = 1;