From: Emeric Brun <ebrun@haproxy.com>
Date: Wed, 2 Dec 2020 16:02:09 +0000 (+0100)
Subject: BUG/MAJOR: ring: tcp forward on ring can break the reader counter.
X-Git-Tag: v2.4-dev3~126
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fdabf4954860942d314fe3059a869bed207e78d4;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: ring: tcp forward on ring can break the reader counter.

If the session is not established, the applet handler could leave
with the applet detached from the ring. At next call, the attach
counter will be decreased again causing unpredectable behavior.

This patch should be backported on branches >=2.2
---

diff --git a/src/sink.c b/src/sink.c
index 4995270e49..a7f6897807 100644
--- a/src/sink.c
+++ b/src/sink.c
@@ -348,18 +348,18 @@ static void sink_forward_io_handler(struct appctx *appctx)
 		ofs += ring->ofs;
 	}
 
-	/* we were already there, adjust the offset to be relative to
-	 * the buffer's head and remove us from the counter.
-	 */
-	ofs -= ring->ofs;
-	BUG_ON(ofs >= buf->size);
-	HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
-
 	/* in this loop, ofs always points to the counter byte that precedes
 	 * the message so that we can take our reference there if we have to
 	 * stop before the end (ret=0).
 	 */
 	if (si_opposite(si)->state == SI_ST_EST) {
+		/* we were already there, adjust the offset to be relative to
+		 * the buffer's head and remove us from the counter.
+		 */
+		ofs -= ring->ofs;
+		BUG_ON(ofs >= buf->size);
+		HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
+
 		ret = 1;
 		while (ofs + 1 < b_data(buf)) {
 			cnt = 1;
@@ -488,18 +488,18 @@ static void sink_forward_oc_io_handler(struct appctx *appctx)
 		ofs += ring->ofs;
 	}
 
-	/* we were already there, adjust the offset to be relative to
-	 * the buffer's head and remove us from the counter.
-	 */
-	ofs -= ring->ofs;
-	BUG_ON(ofs >= buf->size);
-	HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
-
 	/* in this loop, ofs always points to the counter byte that precedes
 	 * the message so that we can take our reference there if we have to
 	 * stop before the end (ret=0).
 	 */
 	if (si_opposite(si)->state == SI_ST_EST) {
+		/* we were already there, adjust the offset to be relative to
+		 * the buffer's head and remove us from the counter.
+		 */
+		ofs -= ring->ofs;
+		BUG_ON(ofs >= buf->size);
+		HA_ATOMIC_SUB(b_peek(buf, ofs), 1);
+
 		ret = 1;
 		while (ofs + 1 < b_data(buf)) {
 			cnt = 1;