From: Olivier Houchard <ohouchard@haproxy.com>
Date: Thu, 14 Nov 2019 18:26:14 +0000 (+0100)
Subject: BUG/MEDIUM: Make sure we leave the session list in session_free().
X-Git-Tag: v2.1-dev5~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a132e5efa9;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: Make sure we leave the session list in session_free().

In session_free(), if we're about to destroy a connection that had no mux,
make sure we leave the session_list before calling conn_free(). Otherwise,
conn_free() would call session_unown_conn(), which would potentially free
the associated srv_list, but session_free() also frees it, so that would
lead to a double free, and random memory corruption.

This should be backported to 1.9 and 2.0.
---

diff --git a/src/session.c b/src/session.c
index 7b2564e8c5..c9bdd9421d 100644
--- a/src/session.c
+++ b/src/session.c
@@ -90,6 +90,10 @@ void session_free(struct session *sess)
 				/* We have a connection, but not yet an associated mux.
 				 * So destroy it now.
 				 */
+				if (!LIST_ISEMPTY(&conn->session_list)) {
+					LIST_DEL(&conn->session_list);
+					LIST_INIT(&conn->session_list);
+				}
 				conn_stop_tracking(conn);
 				conn_full_close(conn);
 				conn_free(conn);