BUG/MEDIUM: Make sure we leave the session list in session_free().

In session_free(), if we're about to destroy a connection that had no mux,
make sure we leave the session_list before calling conn_free(). Otherwise,
conn_free() would call session_unown_conn(), which would potentially free
the associated srv_list, but session_free() also frees it, so that would
lead to a double free, and random memory corruption.

This should be backported to 1.9 and 2.0.

diff --git a/src/session.c b/src/session.c
index 7b2564e8c53f81376d688141e1fff1826a81ecea..c9bdd9421db5b7228893ef0d209bca9ea36ec6a2 100644 (file)
--- a/src/session.c
+++ b/src/session.c
@@ -90,6 +90,10 @@ void session_free(struct session *sess)
                                /* We have a connection, but not yet an associated mux.
                                 * So destroy it now.
                                 */
+                               if (!LIST_ISEMPTY(&conn->session_list)) {
+                                       LIST_DEL(&conn->session_list);
+                                       LIST_INIT(&conn->session_list);
+                               }
                                conn_stop_tracking(conn);
                                conn_full_close(conn);
                                conn_free(conn);