From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 16 Feb 2021 14:16:17 +0000 (+0100)
Subject: BUG/MAJOR: connection: prevent double free if conn selected for removal
X-Git-Tag: v2.4-dev9~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aba507334b471e5b5d0044a74d7177b29491637f;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: connection: prevent double free if conn selected for removal

Always try to remove a connexion from its toremove_list in conn_free.
This prevents a double-free in case the connection is freed but was
already added in toremove_list.

This bug was easily reproduced by running 4-5 runs of inject on a
single-thread instance of haproxy :

$ inject -u 10000 -d 10 -G 127.0.0.1:20080

A crash would soon be triggered in srv_cleanup_toremove_connections.

This does not need to be backported.
---

diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h
index a7a83b1c0b..8ff8a2e0b6 100644
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@@ -504,6 +504,14 @@ static inline void conn_free(struct connection *conn)
 			srv_release_conn(__objt_server(conn->target), conn);
 	}
 
+	/* Remove the conn from toremove_list.
+	 *
+	 * This is needed to prevent a double-free in case the connection was
+	 * already scheduled from cleaning but is freed before via another
+	 * call.
+	 */
+	MT_LIST_DEL(&conn->toremove_list);
+
 	sockaddr_free(&conn->src);
 	sockaddr_free(&conn->dst);