From: William Lallemand <wlallemand@haproxy.org>
Date: Thu, 8 Dec 2022 10:11:36 +0000 (+0100)
Subject: BUG/MEDIUM: httpclient/lua: double LIST_DELETE on end of lua task
X-Git-Tag: v2.8-dev1~159
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94dbfedec138101f314d746dab87caa3a1760b59;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: httpclient/lua: double LIST_DELETE on end of lua task

The lua httpclient cleanup can be called in 2 places, the
hlua_httpclient_gc() and the hlua_httpclient_destroy_all().

A LIST_DELETE() is performed to remove the hlua_hc struct of the list.
However, when the lua task ends and call hlua_ctx_destroy(), it does a
LIST_DELETE() first, and then the gc tries to do a LIST_DELETE() again
in hlua_httpclient_gc(), provoking a crash.

This patch fixes the issue by doing a LIST_DEL_INIT() instead of
LIST_DELETE() in both cases.

Should fix issue #1958.

Must be backported where bb58142 is backported.
---

diff --git a/src/hlua.c b/src/hlua.c
index 35f9c8f560..a037991479 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -1279,7 +1279,7 @@ static void hlua_httpclient_destroy_all(struct hlua *hlua)
 		if (hlua_hc->hc)
 			httpclient_stop_and_destroy(hlua_hc->hc);
 		hlua_hc->hc = NULL;
-		LIST_DELETE(&hlua_hc->by_hlua);
+		LIST_DEL_INIT(&hlua_hc->by_hlua);
 	}
 }
 
@@ -7033,10 +7033,8 @@ __LJMP static int hlua_httpclient_gc(lua_State *L)
 	if (hlua_hc->hc)
 		httpclient_stop_and_destroy(hlua_hc->hc);
 
-	LIST_DELETE(&hlua_hc->by_hlua);
-
 	hlua_hc->hc = NULL;
-
+	LIST_DEL_INIT(&hlua_hc->by_hlua);
 
 	return 0;
 }