From: Willy Tarreau Date: Mon, 4 Sep 2023 09:45:37 +0000 (+0200) Subject: BUG/MEDIUM: connection: fix pool free regression with recent ppv2 TLV patches X-Git-Tag: v2.9-dev5~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=135c66f6cb34a993df544e7da72e323d058ac54d;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: connection: fix pool free regression with recent ppv2 TLV patches In commit fecc573da ("MEDIUM: connection: Generic, list-based allocation and look-up of PPv2 TLVs") there was a tiny mistake, elements of length <= 128 are allocated from pool_pp_128 but only those of length < 128 are released to this pool, other ones go to pool_pp_256. Because of this, elements of size exactly 128 are allocated from 128 and released to 256. It can be reproduced a few times by running sample_fetches/tlvs.vtc 1000 times with -DDEBUG_DONT_SHARE_POOLS -DDEBUG_MEMORY_POOLS -DDEBUG_EXPR -DDEBUG_STRICT=2 -DDEBUG_POOL_INTEGRITY -DDEBUG_POOL_TRACING -DDEBUG_NO_POOLS. Not sure why it doesn't reproduce more often though. No backport is needed. This should address github issues #2275 and #2274. --- diff --git a/src/connection.c b/src/connection.c index 5d84d60374..5f7226aaec 100644 --- a/src/connection.c +++ b/src/connection.c @@ -569,7 +569,7 @@ void conn_free(struct connection *conn) LIST_DELETE(&tlv->list); if (tlv->len > HA_PP2_TLV_VALUE_256) free(tlv); - else if (tlv->len < HA_PP2_TLV_VALUE_128) + else if (tlv->len <= HA_PP2_TLV_VALUE_128) pool_free(pool_head_pp_tlv_128, tlv); else pool_free(pool_head_pp_tlv_256, tlv);