BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records

trahs chunks are buffers but not allocated from the buffers pool. And the
"trash" chunk is static and thread-local. It is two reason to not swap it
with a regular buffer allocated from the buffers pool.

Unfortunatly, it is exactly what is performed in the FCGI mux when a STDERR
record is handled. b_xfer() is used to copy data from the demux buffer to
the trash to format the error message. A zeor-copy via a swap may be
performed. In this case, this leads to a memory corruption and a crash
because, some time later, the demux buffer is released because it is
empty. And it is in fact the trash chunk.

b_force_xfer() must be used instead. This function forces the copy.

This patch must be backported as far as 2.2. For 2.4 and 2.2, b_force_xfer()
does not exist. For these versions, the following commit must be backported
too:

  * c7860007cc ("MINOR: buf: Add b_force_xfer() function")

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index ec2cb60dcf0921354adc919bd6998beefbe1a796..8a4e6c2a8f2044b52205209d11817810d202f408 100644 (file)
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -2363,7 +2363,7 @@ static int fcgi_strm_handle_stderr(struct fcgi_conn *fconn, struct fcgi_strm *fs
                goto fail; // incomplete record
 
        chunk_reset(&trash);
-       ret = b_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl));
+       ret = b_force_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl));
        if (!ret)
                goto fail;
        fconn->drl -= ret;