From: Christopher Faulet Date: Mon, 25 Nov 2024 21:05:27 +0000 (+0100) Subject: BUG/MEDIUM: http-ana: Don't release too early the L7 buffer X-Git-Tag: v3.1.0~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc15581c02171eeb49ef3ffbab0f583f38482b4c;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: http-ana: Don't release too early the L7 buffer In some cases, the buffer used to store the request to be able to perform a L7 retry is released released too early, leading to a crash because a retry is performed with an empty request. First, there is a test on invalid 101 responses that may be caught by the "junk-response" retry policy. Then, it is possible to get an error (empty-response, bad status code...) after an interim response. In both cases, the L7 buffer is already released while it should not. To fix the issue, the L7 buffer is now released at the end of the AN_RES_WAIT_HTTP analyser, but only when a response was successfully received and processed. In all error cases, the stream is quickly released, with the L7 buffer. So there is no leak and it is safer this way. This patch may fix the issue #2793. It must be as far as 2.4. --- diff --git a/src/http_ana.c b/src/http_ana.c index 0a5ba007a6..1dae2ee191 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -1451,9 +1451,6 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) return 0; } - /* Now, L7 buffer is useless, it can be released */ - b_free(&txn->l7_buffer); - msg->msg_state = HTTP_MSG_BODY; @@ -1642,6 +1639,9 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) } end: + /* Now, L7 buffer is useless, it can be released */ + b_free(&txn->l7_buffer); + /* we want to have the response time before we start processing it */ s->logs.t_data = ns_to_ms(now_ns - s->logs.accept_ts);