[BUG] session: risk of crash on out of memory (1.5-dev regression)

Patch af5149 introduced an issue which can be detected only on out of
memory conditions : a LIST_DEL() may be performed on an uninitialized
struct member instead of a LIST_INIT() during the accept() phase,
causing crashes and memory corruption to occur.

This issue was detected and diagnosed by the Exceliance R&D team.

This is 1.5-specific and very recent, so no existing deployment should
be impacted.

diff --git a/include/proto/session.h b/include/proto/session.h
index 810fe44c5a6a402daa3cbe0ddcde4c2b8aea8fd3..78a22226b5185199d96c59b51597cca3fd32bdf9 100644 (file)
--- a/include/proto/session.h
+++ b/include/proto/session.h
@@ -240,6 +240,12 @@ static void inline session_del_srv_conn(struct session *sess)
        LIST_DEL(&sess->by_srv);
 }
 
+static void inline session_init_srv_conn(struct session *sess)
+{
+       sess->srv_conn = NULL;
+       LIST_INIT(&sess->by_srv);
+}
+
 #endif /* _PROTO_SESSION_H */
 
 /*

diff --git a/src/peers.c b/src/peers.c
index f2532804140e4dc3e8c9b4c822cbec8f67c4afd7..47d9fe13d893b54ee84691e94b6817f881d1c15f 100644 (file)
--- a/src/peers.c
+++ b/src/peers.c
@@ -1185,7 +1185,7 @@ static struct session *peer_session_create(struct peer *peer, struct peer_sessio
        stream_sock_prepare_interface(&s->si[1]);
        s->si[1].release = NULL;
 
-       session_del_srv_conn(s);
+       session_init_srv_conn(s);
        clear_target(&s->target);
        s->pend_pos = NULL;
 

diff --git a/src/session.c b/src/session.c
index ae720cf34a928e9092e305086b57b030b5771e17..6e3a52534cc448024f6c3554246227525955ab93 100644 (file)
--- a/src/session.c
+++ b/src/session.c
@@ -201,7 +201,7 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
        if (likely(s->fe->options2 & PR_O2_INDEPSTR))
                s->si[1].flags |= SI_FL_INDEP_STR;
 
-       session_del_srv_conn(s);
+       session_init_srv_conn(s);
        clear_target(&s->target);
        s->pend_pos = NULL;