BUG/MEDIUM: stconn: don't set the type before allocation succeeds

There's an occasional crash that can be triggered in sc_detach_endp()
when calling conn->mux->detach() upon memory allocation error. The
problem in fact comes from sc_attach_mux(), which doesn't reset the
sc type flags upon tasklet allocation failure, leading to an attempt
at detaching an incompletely initialized stconn. Let's just attach
the sc after the tasklet allocation succeeds, not before.

This must be backported to 2.6.

diff --git a/src/stconn.c b/src/stconn.c
index 39299b19a6d80d32f5a70bd769ad9085f4cf3862..e1266a4ebce94f368d517255ca8c85763129467f 100644 (file)
--- a/src/stconn.c
+++ b/src/stconn.c
@@ -256,12 +256,6 @@ int sc_attach_mux(struct stconn *sc, void *sd, void *ctx)
        struct connection *conn = ctx;
        struct sedesc *sedesc = sc->sedesc;
 
-       sedesc->se = sd;
-       sedesc->conn = ctx;
-       se_fl_set(sedesc, SE_FL_T_MUX);
-       se_fl_clr(sedesc, SE_FL_DETACHED);
-       if (!conn->ctx)
-               conn->ctx = sc;
        if (sc_strm(sc)) {
                if (!sc->wait_event.tasklet) {
                        sc->wait_event.tasklet = tasklet_new();
@@ -286,6 +280,13 @@ int sc_attach_mux(struct stconn *sc, void *sd, void *ctx)
 
                sc->app_ops = &sc_app_check_ops;
        }
+
+       sedesc->se = sd;
+       sedesc->conn = ctx;
+       se_fl_set(sedesc, SE_FL_T_MUX);
+       se_fl_clr(sedesc, SE_FL_DETACHED);
+       if (!conn->ctx)
+               conn->ctx = sc;
        return 0;
 }