From: Willy Tarreau <w@1wt.eu>
Date: Tue, 25 Nov 2014 16:10:33 +0000 (+0100)
Subject: BUG/MAJOR: sessions: unlink session from list on out of memory
X-Git-Tag: v1.6-dev1~256
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b24641745b32289235d765f441ec60fa7381f99;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: sessions: unlink session from list on out of memory

Since embryonic sessions were introduced in 1.5-dev12 with commit
2542b53 ("MAJOR: session: introduce embryonic sessions"), a major
bug remained present. If haproxy cannot allocate memory during
session_complete() (for example, no more buffers), it will not
unlink the new session from the sessions list. This will cause
memory corruptions if the memory area from the session is reused
for anything else, and may also cause bogus output on "show sess"
on the CLI.

This fix must be backported to 1.5.
---

diff --git a/src/session.c b/src/session.c
index 0ceb031b99..772307495a 100644
--- a/src/session.c
+++ b/src/session.c
@@ -580,6 +580,7 @@ int session_complete(struct session *s)
 	/* and restore the connection pointer in case we destroyed it,
 	 * because kill_mini_session() will need it.
 	 */
+	LIST_DEL(&s->list);
 	s->target = &conn->obj_type;
 	return ret;
 }