git.ipfire.org Git - thirdparty/haproxy.git/commit

]> git.ipfire.org Git - thirdparty/haproxy.git/commit

projects / thirdparty / haproxy.git / commit

author	Willy Tarreau <w@1wt.eu>
	Tue, 21 Mar 2023 09:44:44 +0000 (10:44 +0100)
committer	Willy Tarreau <w@1wt.eu>
	Tue, 21 Mar 2023 09:44:44 +0000 (10:44 +0100)
commit	a220e59ad8dd44cd71484ab5a207ed08f219c737
tree	e5ac4fea32c044ae92f0639779c503a938eddb74	tree \| snapshot
parent	0c4348c982b73fa854de7c8cee5611cbfdd9db3c	commit \| diff

BUG/MEDIUM: mux-h1: properly destroy a partially allocated h1s

In h1c_frt_stream_new() and h1c_bck_stream_new(), if we fail to completely
initialize the freshly allocated h1s, typically because sc_attach_mux()
fails, we must use h1s_destroy() to de-initialize it. Otherwise it stays
attached to the h1c when released, causing use-after-free upon the next
wakeup. This can be triggered upon memory shortage.

This needs to be backported to 2.6.

src/mux_h1.c

diff | blob | blame | history

Mirror of https://github.com/haproxy/haproxy.git

RSS Atom