From: Willy Tarreau <w@1wt.eu>
Date: Mon, 28 Jan 2019 15:33:35 +0000 (+0100)
Subject: BUG/MEDIUM: backend: always call si_detach_endpoint() on async connection failure
X-Git-Tag: v2.0-dev1~144
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d822013f45dea36d23a01a1d2f3680525fbc5e95;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: backend: always call si_detach_endpoint() on async connection failure

In case an asynchronous connection (ALPN) succeeds but the mux fails to
attach, we must release the stream interface's endpoint, otherwise we
leave the stream interface with an endpoint pointing to a freed connection
with si_ops == si_conn_ops, and sess_update_st_cer() calls si_shutw() on
it, causing it to crash.

This must be backported to 1.9 only.
---

diff --git a/src/backend.c b/src/backend.c
index 6f9557563d..e9f3605302 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1108,6 +1108,8 @@ static int conn_complete_server(struct connection *conn)
 	return 0;
 
 fail:
+	si_detach_endpoint(&s->si[1]);
+
 	if (cs)
 		cs_free(cs);
 	/* kill the connection now */