BUG/MAJOR: spoe: properly detach all agents when releasing the applet

There's a bug in spoe_release_appctx() which checks the presence of items
in the wrong list rt[tid].agents to run over rt[tid].waiting_queue and
zero their spoe_appctx. The effect is that these contexts are not zeroed
and if spoe_stop_processing() is called, "sa->cur_fpa--" will be applied
to one of these recently freed contexts and will corrupt random memory
locations, as found at least in bugs #1494 and #1525.

This must be backported to all stable versions.

Many thanks to Christian Ruppert from Babiel for exchanging so many
useful traces over the last two months, testing debugging code and
helping set up a similar environment to reproduce it!

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 3f17bcb615cb2ad99881130cf44c1d1ec48b7eba..0badee3f8c61d7c36a7f255169a9ba1e031f6742 100644 (file)
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -1282,7 +1282,7 @@ spoe_release_appctx(struct appctx *appctx)
                task_wakeup(ctx->strm->task, TASK_WOKEN_MSG);
        }
 
-       if (!LIST_ISEMPTY(&agent->rt[tid].applets)) {
+       if (!LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) {
                list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) {
                        if (ctx->spoe_appctx == spoe_appctx)
                                ctx->spoe_appctx = NULL;