From: Christopher Faulet <cfaulet@haproxy.com>
Date: Sat, 10 Apr 2021 07:02:32 +0000 (+0200)
Subject: BUG/MINOR: mux-pt: Fix a possible UAF because of traces in mux_pt_io_cb
X-Git-Tag: v2.4-dev17~167
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2c65ba344bbe11c3dd595e68335893282aa02ef;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-pt: Fix a possible UAF because of traces in mux_pt_io_cb

In mux_pt_io_cb(), if a connection error or a shutdown is detected, the mux
is destroyed. Thus we must be careful to not use it in a trace message once
destroyed.

No backport needed. This patch should fix the issue #1220.
---

diff --git a/src/mux_pt.c b/src/mux_pt.c
index eff43d26fe..3a36f373ed 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -250,17 +250,16 @@ struct task *mux_pt_io_cb(struct task *t, void *tctx, unsigned int status)
 	}
 	conn_ctrl_drain(ctx->conn);
 	if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
-		TRACE_DEVEL("destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
+		TRACE_DEVEL("leaving destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
 		mux_pt_destroy(ctx);
 		t = NULL;
 	}
 	else {
-		TRACE_DEVEL("subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
 		ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
 					   &ctx->wait_event);
+		TRACE_DEVEL("leaving subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
 	}
 
-	TRACE_LEAVE(PT_EV_CONN_WAKE, ctx->conn);
 	return t;
 }