From: Willy Tarreau Date: Mon, 22 Dec 2014 20:40:55 +0000 (+0100) Subject: BUG/MEDIUM: memory: fix freeing logic in pool_gc2() X-Git-Tag: v1.6-dev1~236 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57767b80329ceade67302aed4fd9760ed5f3d644;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: memory: fix freeing logic in pool_gc2() There's a long-standing bug in pool_gc2(). It tries to protect the pool against releasing of too many entries but the formula is wrong as it compares allocated to minavail instead of (allocated-used) to minavail. Under memory contention, it ends up releasing more than what is granted by minavail and causes trouble to the dynamic buffer allocator. This bug is in fact major by itself, but since minavail has never been used till now, there is no impact at least in mainline. A backport to 1.5 is desired anyway in case any future backport or out-of-tree patch relies on this. --- diff --git a/src/memory.c b/src/memory.c index 1e62259cbc..fcd7679314 100644 --- a/src/memory.c +++ b/src/memory.c @@ -142,8 +142,7 @@ void pool_gc2() //qfprintf(stderr, "Flushing pool %s\n", entry->name); next = entry->free_list; while (next && - entry->allocated > entry->minavail && - entry->allocated > entry->used) { + (int)(entry->allocated - entry->used) > (int)entry->minavail) { temp = next; next = *(void **)temp; entry->allocated--;