From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 23 May 2019 20:47:48 +0000 (+0200)
Subject: BUG/MEDIUM: spoe: Don't use the SPOE applet after releasing it
X-Git-Tag: v2.0-dev5~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55ae8a64e4e1175063463921375b279c31bbc6a4;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: spoe: Don't use the SPOE applet after releasing it

In spoe_release_appctx(), the SPOE applet may be used after it was released to
get its exit status code. Of course, HAProxy crashes when this happens.

This patch must be backported to 1.9 and 1.8.
---

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 2755f3ab42..51d4f275a8 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -1298,11 +1298,6 @@ spoe_release_appctx(struct appctx *appctx)
 		task_wakeup(ctx->strm->task, TASK_WOKEN_MSG);
 	}
 
-	/* Release allocated memory */
-	spoe_release_buffer(&spoe_appctx->buffer,
-			    &spoe_appctx->buffer_wait);
-	pool_free(pool_head_spoe_appctx, spoe_appctx);
-
 	if (!LIST_ISEMPTY(&agent->rt[tid].applets))
 		goto end;
 
@@ -1327,6 +1322,11 @@ spoe_release_appctx(struct appctx *appctx)
 	}
 
   end:
+	/* Release allocated memory */
+	spoe_release_buffer(&spoe_appctx->buffer,
+			    &spoe_appctx->buffer_wait);
+	pool_free(pool_head_spoe_appctx, spoe_appctx);
+
 	/* Update runtinme agent info */
 	agent->rt[tid].frame_size = agent->max_frame_size;
 	list_for_each_entry(spoe_appctx, &agent->rt[tid].applets, list)