git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Aurelien DARRAGON <adarragon@haproxy.com>
	Mon, 12 May 2025 14:09:15 +0000 (16:09 +0200)
committer	Aurelien DARRAGON <adarragon@haproxy.com>
	Mon, 12 May 2025 14:17:26 +0000 (16:17 +0200)
commit	736151556c1e2e892bc067736f4aa1205d386208
tree	f5d404598305baf750b4f9a7f365a704e74f42f4	tree
parent	be4d816be24255c6ba3b42284ca57085b8129e5e	commit \| diff

BUG/MINOR: server: dont depend on proxy for server cleanup in srv_drop()

In commit b5ee8bebfc ("MINOR: server: always call ssl->destroy_srv when
available"), we made it so srv_drop() doesn't depend on proxy to perform
server cleanup.

It turns out this is now mandatory, because during deinit, free_proxy()
can occur before the final srv_drop(). This is the case when using Lua
scripts for instance.

In 2a9436f96 ("MINOR: lbprm: Add method to deinit server and proxy") we
added a freeing check under srv_drop() that depends on the proxy.
Because of that UAF may occur during deinit when using a Lua script that
manipulate server objects.

To fix the issue, let's perform the lbprm server deinit logic under
free_proxy() directly, where the DEINIT server hooks are evaluated.

Also, to prevent similar bugs in the future, let's explicitly document
in srv_drop() that server cleanups should assume that the proxy may
already be freed.

No backport needed unless 2a9436f96 is.

src/proxy.c		diff \| blob \| blame \| history
src/server.c		diff \| blob \| blame \| history