BUG/MAJOR: sessions: unlink session from list on out of memory

Since embryonic sessions were introduced in 1.5-dev12 with commit
2542b53 ("MAJOR: session: introduce embryonic sessions"), a major
bug remained present. If haproxy cannot allocate memory during
session_complete() (for example, no more buffers), it will not
unlink the new session from the sessions list. This will cause
memory corruptions if the memory area from the session is reused
for anything else, and may also cause bogus output on "show sess"
on the CLI.

This fix must be backported to 1.5.

diff --git a/src/session.c b/src/session.c
index 0ceb031b992008a25c37389d1570010728e95341..772307495aa3b152dedaad5b449f91d1138fd14b 100644 (file)
--- a/src/session.c
+++ b/src/session.c
@@ -580,6 +580,7 @@ int session_complete(struct session *s)
        /* and restore the connection pointer in case we destroyed it,
         * because kill_mini_session() will need it.
         */
+       LIST_DEL(&s->list);
        s->target = &conn->obj_type;
        return ret;
 }