From: Willy Tarreau <w@1wt.eu>
Date: Sat, 24 Oct 2020 10:57:41 +0000 (+0200)
Subject: BUG/MEDIUM: queue: fix unsafe proxy pointer when counting nbpend
X-Git-Tag: v2.3-dev8~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5472aa50f190d56f1e632df92064ff6fed416f48;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: queue: fix unsafe proxy pointer when counting nbpend

As reported by Coverity in issue #917, commit 96bca33 ("OPTIM: queue:
decrement the nbpend and totpend counters outside of the lock")
introduced a bug when moving the increments outside of the loop,
because we can't always rely on the pendconn "p" here as it may
be null. We can retrieve the proxy pointer directly from s->proxy
instead. The same is true for pendconn_redistribute(), though the
last "p" pointer there was still valid. This patch fixes both.

No backport is needed, this was introduced just before 2.3-dev8.
---

diff --git a/src/queue.c b/src/queue.c
index bd95472d4e..19b99a5f60 100644
--- a/src/queue.c
+++ b/src/queue.c
@@ -465,8 +465,8 @@ int pendconn_redistribute(struct server *s)
 		xferred++;
 	}
 	if (xferred) {
-		_HA_ATOMIC_SUB(&p->srv->nbpend, xferred);
-		_HA_ATOMIC_SUB(&p->px->totpend, xferred);
+		_HA_ATOMIC_SUB(&s->nbpend, xferred);
+		_HA_ATOMIC_SUB(&s->proxy->totpend, xferred);
 	}
 	return xferred;
 }
@@ -508,8 +508,8 @@ int pendconn_grab_from_px(struct server *s)
 	}
 	HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &s->proxy->lock);
 	if (xferred) {
-		_HA_ATOMIC_SUB(&p->px->nbpend, xferred);
-		_HA_ATOMIC_SUB(&p->px->totpend, xferred);
+		_HA_ATOMIC_SUB(&s->proxy->nbpend, xferred);
+		_HA_ATOMIC_SUB(&s->proxy->totpend, xferred);
 	}
 	return xferred;
 }