From: Willy Tarreau <w@1wt.eu>
Date: Thu, 10 Jan 2019 09:33:32 +0000 (+0100)
Subject: BUG/MEDIUM: connection: properly unregister the mux on failed initialization
X-Git-Tag: v2.0-dev1~228
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=762475e1f957936144e48c51a6befdef3f5fe1db;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: connection: properly unregister the mux on failed initialization

When mux->init() fails, session_free() will call it again to unregister
it while it was already done, resulting in null derefs or use-after-free.
This typically happens on out-of-memory conditions during H1 or H2 connection
or stream allocation.

This fix must be backported to 1.9.
---

diff --git a/include/proto/connection.h b/include/proto/connection.h
index 79722d8c88..335757ed82 100644
--- a/include/proto/connection.h
+++ b/include/proto/connection.h
@@ -832,9 +832,16 @@ static inline struct wait_event *wl_set_waitcb(struct wait_event *wl, struct tas
 static inline int conn_install_mux(struct connection *conn, const struct mux_ops *mux,
                                    void *ctx, struct proxy *prx, struct session *sess)
 {
+	int ret;
+
 	conn->mux = mux;
 	conn->ctx = ctx;
-	return mux->init ? mux->init(conn, prx, sess) : 0;
+	ret = mux->init ? mux->init(conn, prx, sess) : 0;
+	if (ret < 0) {
+		conn->mux = NULL;
+		conn->ctx = NULL;
+	}
+	return ret;
 }
 
 /* returns a human-readable error code for conn->err_code, or NULL if the code