BUG/MEDIUM: connection: properly unregister the mux on failed initialization

When mux->init() fails, session_free() will call it again to unregister
it while it was already done, resulting in null derefs or use-after-free.
This typically happens on out-of-memory conditions during H1 or H2 connection
or stream allocation.

This fix must be backported to 1.9.

diff --git a/include/proto/connection.h b/include/proto/connection.h
index 79722d8c88cdba9519135cbf24bddc993b00d91e..335757ed82e3026c8d88d15083a9417d1b814343 100644 (file)
--- a/include/proto/connection.h
+++ b/include/proto/connection.h
@@ -832,9 +832,16 @@ static inline struct wait_event *wl_set_waitcb(struct wait_event *wl, struct tas
 static inline int conn_install_mux(struct connection *conn, const struct mux_ops *mux,
                                    void *ctx, struct proxy *prx, struct session *sess)
 {
+       int ret;
+
        conn->mux = mux;
        conn->ctx = ctx;
-       return mux->init ? mux->init(conn, prx, sess) : 0;
+       ret = mux->init ? mux->init(conn, prx, sess) : 0;
+       if (ret < 0) {
+               conn->mux = NULL;
+               conn->ctx = NULL;
+       }
+       return ret;
 }
 
 /* returns a human-readable error code for conn->err_code, or NULL if the code