From: Willy Tarreau <w@1wt.eu>
Date: Fri, 24 Aug 2018 13:48:59 +0000 (+0200)
Subject: BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
X-Git-Tag: v1.9-dev2~114
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad7f0ad1c3c9c541a4c315b24d4500405d1383ee;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()

mux_pt_wake() calls data->wake() which can return -1 indicating that the
connection was just destroyed. We need to check for this condition and
immediately exit in this case otherwise we dereference a just freed
connection. Note that this mainly happens on idle connections between
two HTTP requests. It can have random implications between requests as
it may lead a wrong connection's polling to be re-enabled or disabled
for example, especially with threads.

This patch must be backported to 1.8.
---

diff --git a/src/mux_pt.c b/src/mux_pt.c
index dbdd78b094..71f26e7534 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -51,6 +51,9 @@ static int mux_pt_wake(struct connection *conn)
 
 	ret = cs->data_cb->wake ? cs->data_cb->wake(cs) : 0;
 
+	if (ret < 0)
+		return ret;
+
 	/* If we had early data, and we're done with the handshake
 	 * then whe know the data are safe, and we can remove the flag.
 	 */