BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream before freeing.

On error, make sure we don't have a conn_stream before freeing the connection
and the associated mux context. Otherwise a stream will still reference
the connection, and attempt to use it.
If we still have a conn_stream, it will properly be free'd when the detach
method is called, anyway.

This should be backported to 2.0 and 1.9.

diff --git a/src/mux_pt.c b/src/mux_pt.c
index a86cbefd920c3b0291a6f1a65ca4cc88c675922d..b957ed6322667f8b6df4ee244dca8032ed794b63 100644 (file)
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -51,9 +51,10 @@ static struct task *mux_pt_io_cb(struct task *t, void *tctx, unsigned short stat
        struct mux_pt_ctx *ctx = tctx;
 
        conn_sock_drain(ctx->conn);
-       if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))
-               mux_pt_destroy(ctx);
-       else
+       if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
+               if (!ctx->cs)
+                       mux_pt_destroy(ctx);
+       } else
                ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
                    &ctx->wait_event);
 
@@ -193,7 +194,7 @@ static void mux_pt_detach(struct conn_stream *cs)
            !(conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))) {
                ctx->cs = NULL;
                conn->xprt->subscribe(conn, conn->xprt_ctx, SUB_RETRY_RECV, &ctx->wait_event);
-       } else
+       } else if (!ctx->cs)
                /* There's no session attached to that connection, destroy it */
                mux_pt_destroy(ctx);
 }