The cache entries are now added into the tree even when they are not
complete yet. If we realized while trying to add a response's payload
that the shctx was full, the entry was disabled through the
disable_cache_entry function, which cleared the key field of the entry's
node, but without actually removing it from the tree. So the shctx row
could be stolen from the entry and the row's content be rewritten while
a lookup in the tree would still find a reference to the old entry. This
caused a random crash in case of cache saturation and row reuse.
This patch adds the missing removal of the node from the tree next to
the reset of the key in disable_cache_entry.
This bug was introduced by commit
3243447 ("MINOR: cache: Add entry
to the tree as soon as possible")
It does not need to be backported.
filter->ctx = NULL; /* disable cache */
shctx_lock(shctx);
shctx_row_dec_hot(shctx, st->first_block);
+ eb32_delete(&object->eb);
object->eb.key = 0;
shctx_unlock(shctx);
pool_free(pool_head_cache_st, st);
projects / thirdparty / haproxy.git / commitdiff
