]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 65189c1)
MINOR: stick-tables: make stktable_release() do nothing on NULL
authorWilly Tarreau <w@1wt.eu>
Wed, 27 Jun 2018 04:25:57 +0000 (06:25 +0200)
committerWilly Tarreau <w@1wt.eu>
Wed, 27 Jun 2018 04:33:20 +0000 (06:33 +0200)
stktable_release() has been involved in two recent crashes by being
used without enough care. Just like any free() function this one is
often called on an exit path with a possibly unsafe argument. Given
that there is another case (smp_fetch_sc_trackers()) which theorically
could call it with an unchecked NULL, though it cannot happen since
the function doesn't support being called with src_* hence cannot make
use of tmpstkctr, let's rather move the check into the function itself
to make it safer for the long term.

This patch could be backported to 1.8 as a strengthening measure.

src/stick_table.c patch | blob | blame | history

diff --git a/src/stick_table.c b/src/stick_table.c
index 8e16830d061c9da485592f2e6ae65c55ab93857a..3c4e78309a72039d68bd9ba953e8a5614b679eb5 100644 (file)
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -412,9 +412,11 @@ void stktable_touch_local(struct stktable *t, struct stksess *ts, int decrefcnt)
                ts->ref_cnt--;
        HA_SPIN_UNLOCK(STK_TABLE_LOCK, &t->lock);
 }
-/* Just decrease the ref_cnt of the current session */
-void stktable_release(struct stktable *t, struct stksess *ts)
+/* Just decrease the ref_cnt of the current session. Does nothing if <ts> is NULL */
+static void stktable_release(struct stktable *t, struct stksess *ts)
 {
+       if (!ts)
+               return;
        HA_SPIN_LOCK(STK_TABLE_LOCK, &t->lock);
        ts->ref_cnt--;
        HA_SPIN_UNLOCK(STK_TABLE_LOCK, &t->lock);
@@ -875,8 +877,7 @@ static int sample_conv_in_table(const struct arg *arg_p, struct sample *smp, voi
        smp->data.type = SMP_T_BOOL;
        smp->data.u.sint = !!ts;
        smp->flags = SMP_F_VOL_TEST;
-       if (ts)
-               stktable_release(t, ts);
+       stktable_release(t, ts);
        return 1;
 }
 
@@ -2014,7 +2015,7 @@ smp_fetch_sc_tracked(const struct arg *args, struct sample *smp, const char *kw,
        smp->data.u.sint = !!stkctr;
 
        /* release the ref count */
-       if ((stkctr == &tmpstkctr) &&  stkctr_entry(stkctr))
+       if ((stkctr == &tmpstkctr))
                stktable_release(stkctr->table, stkctr_entry(stkctr));
 
        return 1;
Mirror of https://github.com/haproxy/haproxy.git