From: Willy Tarreau <w@1wt.eu>
Date: Mon, 20 Mar 2023 18:45:41 +0000 (+0100)
Subject: BUG/MEDIUM: stconn: don't set the type before allocation succeeds
X-Git-Tag: v2.8-dev6~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2f7946339b539035b64f23912a227af98e4a609;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: stconn: don't set the type before allocation succeeds

There's an occasional crash that can be triggered in sc_detach_endp()
when calling conn->mux->detach() upon memory allocation error. The
problem in fact comes from sc_attach_mux(), which doesn't reset the
sc type flags upon tasklet allocation failure, leading to an attempt
at detaching an incompletely initialized stconn. Let's just attach
the sc after the tasklet allocation succeeds, not before.

This must be backported to 2.6.
---

diff --git a/src/stconn.c b/src/stconn.c
index 39299b19a6..e1266a4ebc 100644
--- a/src/stconn.c
+++ b/src/stconn.c
@@ -256,12 +256,6 @@ int sc_attach_mux(struct stconn *sc, void *sd, void *ctx)
 	struct connection *conn = ctx;
 	struct sedesc *sedesc = sc->sedesc;
 
-	sedesc->se = sd;
-	sedesc->conn = ctx;
-	se_fl_set(sedesc, SE_FL_T_MUX);
-	se_fl_clr(sedesc, SE_FL_DETACHED);
-	if (!conn->ctx)
-		conn->ctx = sc;
 	if (sc_strm(sc)) {
 		if (!sc->wait_event.tasklet) {
 			sc->wait_event.tasklet = tasklet_new();
@@ -286,6 +280,13 @@ int sc_attach_mux(struct stconn *sc, void *sd, void *ctx)
 
 		sc->app_ops = &sc_app_check_ops;
 	}
+
+	sedesc->se = sd;
+	sedesc->conn = ctx;
+	se_fl_set(sedesc, SE_FL_T_MUX);
+	se_fl_clr(sedesc, SE_FL_DETACHED);
+	if (!conn->ctx)
+		conn->ctx = sc;
 	return 0;
 }