From: Willy Tarreau Date: Sat, 26 Aug 2023 15:05:19 +0000 (+0200) Subject: BUG/MEDIUM: mux-h2: fix crash when checking for reverse connection after error X-Git-Tag: v2.9-dev5~108 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7b9baa2ccf513219b2c4ba3f3bbbde14777d617;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h2: fix crash when checking for reverse connection after error If the connection is closed in h2_release(), which is indicated by ret<0, we must not dereference conn anymore. This was introduced in 2.9-dev4 by commit 5053e8914 ("MEDIUM: h2: prevent stream opening before connection reverse completed") and detected after a few hours of runtime thanks to running with pool integrity checks and caller enabled. No backport is needed. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index 6d5b43467d..cc698b66b2 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -4257,17 +4257,18 @@ static int h2_wake(struct connection *conn) TRACE_ENTER(H2_EV_H2C_WAKE, conn); ret = h2_process(h2c); - if (ret >= 0) + if (ret >= 0) { h2_wake_some_streams(h2c, 0); - /* For active reverse connection, an explicit check is required if an - * error is pending to propagate the error as demux process is blocked - * until reversal. This allows to quickly close the connection and - * prepare a new one. - */ - if (unlikely(conn_reverse_in_preconnect(conn)) && h2c_is_dead(h2c)) { - TRACE_DEVEL("leaving and killing dead connection", H2_EV_STRM_END, h2c->conn); - h2_release(h2c); + /* For active reverse connection, an explicit check is required if an + * error is pending to propagate the error as demux process is blocked + * until reversal. This allows to quickly close the connection and + * prepare a new one. + */ + if (unlikely(conn_reverse_in_preconnect(conn)) && h2c_is_dead(h2c)) { + TRACE_DEVEL("leaving and killing dead connection", H2_EV_STRM_END, h2c->conn); + h2_release(h2c); + } } TRACE_LEAVE(H2_EV_H2C_WAKE);