From: Willy Tarreau Date: Tue, 19 Jul 2011 22:17:39 +0000 (+0200) Subject: [BUG] session: risk of crash on out of memory (1.5-dev regression) X-Git-Tag: v1.5-dev8~184 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9bd0d744efdcd6bb9c910f50af9768e136d830e2;p=thirdparty%2Fhaproxy.git [BUG] session: risk of crash on out of memory (1.5-dev regression) Patch af5149 introduced an issue which can be detected only on out of memory conditions : a LIST_DEL() may be performed on an uninitialized struct member instead of a LIST_INIT() during the accept() phase, causing crashes and memory corruption to occur. This issue was detected and diagnosed by the Exceliance R&D team. This is 1.5-specific and very recent, so no existing deployment should be impacted. --- diff --git a/include/proto/session.h b/include/proto/session.h index 810fe44c5a..78a22226b5 100644 --- a/include/proto/session.h +++ b/include/proto/session.h @@ -240,6 +240,12 @@ static void inline session_del_srv_conn(struct session *sess) LIST_DEL(&sess->by_srv); } +static void inline session_init_srv_conn(struct session *sess) +{ + sess->srv_conn = NULL; + LIST_INIT(&sess->by_srv); +} + #endif /* _PROTO_SESSION_H */ /* diff --git a/src/peers.c b/src/peers.c index f253280414..47d9fe13d8 100644 --- a/src/peers.c +++ b/src/peers.c @@ -1185,7 +1185,7 @@ static struct session *peer_session_create(struct peer *peer, struct peer_sessio stream_sock_prepare_interface(&s->si[1]); s->si[1].release = NULL; - session_del_srv_conn(s); + session_init_srv_conn(s); clear_target(&s->target); s->pend_pos = NULL; diff --git a/src/session.c b/src/session.c index ae720cf34a..6e3a52534c 100644 --- a/src/session.c +++ b/src/session.c @@ -201,7 +201,7 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr) if (likely(s->fe->options2 & PR_O2_INDEPSTR)) s->si[1].flags |= SI_FL_INDEP_STR; - session_del_srv_conn(s); + session_init_srv_conn(s); clear_target(&s->target); s->pend_pos = NULL;