From: Emeric Brun <ebrun@haproxy.com>
Date: Tue, 19 Oct 2021 13:40:10 +0000 (+0200)
Subject: BUG/MAJOR: dns: tcp session can remain attached to a list after a free
X-Git-Tag: v2.5-dev11~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d20dc21eeca1d5e936f7a8bfd3d865a032499c65;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: dns: tcp session can remain attached to a list after a free

Using tcp, after a session release and free, the session can remain
attached to the list of sessions with a response message waiting for
a commit (ds->waiter). This results to a use after free of this
session.

Also, on some error path and after free, a session could remain attached
to the lists of available idle/free sessions (ds->list).

This patch ensure to remove the session from those external lists
before a free.

This patch should be backported to all version including
the dns over tcp (2.4)
---

diff --git a/src/dns.c b/src/dns.c
index fa6f2b9073..433b554ad7 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -758,6 +758,13 @@ void dns_session_free(struct dns_session *ds)
 
 	dns_queries_flush(ds);
 
+	/* Ensure to remove this session from external lists
+	 * Note: we are under the lock of dns_stream_server
+	 * which own the heads of those lists.
+	 */
+	LIST_DEL_INIT(&ds->waiter);
+	LIST_DEL_INIT(&ds->list);
+
 	ds->dss->cur_conns--;
 	/* Note: this is useless to update
 	 * max_active_conns here because