BUG/MEDIUM: queue: fix unsafe proxy pointer when counting nbpend

As reported by Coverity in issue #917, commit 96bca33 ("OPTIM: queue:
decrement the nbpend and totpend counters outside of the lock")
introduced a bug when moving the increments outside of the loop,
because we can't always rely on the pendconn "p" here as it may
be null. We can retrieve the proxy pointer directly from s->proxy
instead. The same is true for pendconn_redistribute(), though the
last "p" pointer there was still valid. This patch fixes both.

No backport is needed, this was introduced just before 2.3-dev8.

diff --git a/src/queue.c b/src/queue.c
index bd95472d4ed3836d7ac9e45bbacf31d63f7b7cd2..19b99a5f6045ad97b14d08b0066998c9775968e1 100644 (file)
--- a/src/queue.c
+++ b/src/queue.c
@@ -465,8 +465,8 @@ int pendconn_redistribute(struct server *s)
                xferred++;
        }
        if (xferred) {
-               _HA_ATOMIC_SUB(&p->srv->nbpend, xferred);
-               _HA_ATOMIC_SUB(&p->px->totpend, xferred);
+               _HA_ATOMIC_SUB(&s->nbpend, xferred);
+               _HA_ATOMIC_SUB(&s->proxy->totpend, xferred);
        }
        return xferred;
 }
@@ -508,8 +508,8 @@ int pendconn_grab_from_px(struct server *s)
        }
        HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &s->proxy->lock);
        if (xferred) {
-               _HA_ATOMIC_SUB(&p->px->nbpend, xferred);
-               _HA_ATOMIC_SUB(&p->px->totpend, xferred);
+               _HA_ATOMIC_SUB(&s->proxy->nbpend, xferred);
+               _HA_ATOMIC_SUB(&s->proxy->totpend, xferred);
        }
        return xferred;
 }