BUG/MINOR: mux-pt: Fix a possible UAF because of traces in mux_pt_io_cb

In mux_pt_io_cb(), if a connection error or a shutdown is detected, the mux
is destroyed. Thus we must be careful to not use it in a trace message once
destroyed.

No backport needed. This patch should fix the issue #1220.

diff --git a/src/mux_pt.c b/src/mux_pt.c
index eff43d26feb4662893cde9a2d4eb628c73bbdf18..3a36f373edb97d9cd9c8dce78691e89b44333c54 100644 (file)
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -250,17 +250,16 @@ struct task *mux_pt_io_cb(struct task *t, void *tctx, unsigned int status)
        }
        conn_ctrl_drain(ctx->conn);
        if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
-               TRACE_DEVEL("destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
+               TRACE_DEVEL("leaving destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
                mux_pt_destroy(ctx);
                t = NULL;
        }
        else {
-               TRACE_DEVEL("subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
                ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
                                           &ctx->wait_event);
+               TRACE_DEVEL("leaving subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
        }
 
-       TRACE_LEAVE(PT_EV_CONN_WAKE, ctx->conn);
        return t;
 }