BUG/MEDIUM: mux-h1: properly destroy a partially allocated h1s

In h1c_frt_stream_new() and h1c_bck_stream_new(), if we fail to completely
initialize the freshly allocated h1s, typically because sc_attach_mux()
fails, we must use h1s_destroy() to de-initialize it. Otherwise it stays
attached to the h1c when released, causing use-after-free upon the next
wakeup. This can be triggered upon memory shortage.

This needs to be backported to 2.6.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 697924a16fb77b6faa7fb43b374629c2b277ca6b..20f7a1239b71778b87a7170392759887c32fdeac 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -305,6 +305,7 @@ struct task *h1_timeout_task(struct task *t, void *context, unsigned int state);
 static void h1_shutw_conn(struct connection *conn);
 static void h1_wake_stream_for_recv(struct h1s *h1s);
 static void h1_wake_stream_for_send(struct h1s *h1s);
+static void h1s_destroy(struct h1s *h1s);
 
 /* returns the stconn associated to the H1 stream */
 static forceinline struct stconn *h1s_sc(const struct h1s *h1s)
@@ -803,7 +804,7 @@ static struct h1s *h1c_frt_stream_new(struct h1c *h1c, struct stconn *sc, struct
 
   fail:
        TRACE_DEVEL("leaving on error", H1_EV_STRM_NEW|H1_EV_STRM_ERR, h1c->conn);
-       pool_free(pool_head_h1s, h1s);
+       h1s_destroy(h1s);
        return NULL;
 }
 
@@ -837,7 +838,7 @@ static struct h1s *h1c_bck_stream_new(struct h1c *h1c, struct stconn *sc, struct
 
   fail:
        TRACE_DEVEL("leaving on error", H1_EV_STRM_NEW|H1_EV_STRM_ERR, h1c->conn);
-       pool_free(pool_head_h1s, h1s);
+       h1s_destroy(h1s);
        return NULL;
 }