BUG/MEDIUM: http-ana: Don't release too early the L7 buffer

In some cases, the buffer used to store the request to be able to perform a
L7 retry is released released too early, leading to a crash because a retry
is performed with an empty request.

First, there is a test on invalid 101 responses that may be caught by the
"junk-response" retry policy. Then, it is possible to get an error
(empty-response, bad status code...) after an interim response. In both
cases, the L7 buffer is already released while it should not.

To fix the issue, the L7 buffer is now released at the end of the
AN_RES_WAIT_HTTP analyser, but only when a response was successfully
received and processed. In all error cases, the stream is quickly released,
with the L7 buffer. So there is no leak and it is safer this way.

This patch may fix the issue #2793. It must be as far as 2.4.

diff --git a/src/http_ana.c b/src/http_ana.c
index 0a5ba007a62c0b0ed3f0b4458ea4983c55ace9c4..1dae2ee19162337162cff8a417c429ce19012017 100644 (file)
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -1451,9 +1451,6 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
                return 0;
        }
 
-       /* Now, L7 buffer is useless, it can be released */
-       b_free(&txn->l7_buffer);
-
        msg->msg_state = HTTP_MSG_BODY;
 
 
@@ -1642,6 +1639,9 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
        }
 
   end:
+       /* Now, L7 buffer is useless, it can be released */
+       b_free(&txn->l7_buffer);
+
        /* we want to have the response time before we start processing it */
        s->logs.t_data = ns_to_ms(now_ns - s->logs.accept_ts);