BUG/MAJOR: connection: prevent double free if conn selected for removal

Always try to remove a connexion from its toremove_list in conn_free.
This prevents a double-free in case the connection is freed but was
already added in toremove_list.

This bug was easily reproduced by running 4-5 runs of inject on a
single-thread instance of haproxy :

$ inject -u 10000 -d 10 -G 127.0.0.1:20080

A crash would soon be triggered in srv_cleanup_toremove_connections.

This does not need to be backported.

diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h
index a7a83b1c0bdbf34ad04d60358376733a697d4f72..8ff8a2e0b65c89f8ee2cdd382a4597606f01fed5 100644 (file)
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@@ -504,6 +504,14 @@ static inline void conn_free(struct connection *conn)
                        srv_release_conn(__objt_server(conn->target), conn);
        }
 
+       /* Remove the conn from toremove_list.
+        *
+        * This is needed to prevent a double-free in case the connection was
+        * already scheduled from cleaning but is freed before via another
+        * call.
+        */
+       MT_LIST_DEL(&conn->toremove_list);
+
        sockaddr_free(&conn->src);
        sockaddr_free(&conn->dst);