From b042e4f6f7dca655a337fc9ffe1a5e4f25440868 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 15 Feb 2022 16:49:37 +0100 Subject: [PATCH] BUG/MAJOR: spoe: properly detach all agents when releasing the applet There's a bug in spoe_release_appctx() which checks the presence of items in the wrong list rt[tid].agents to run over rt[tid].waiting_queue and zero their spoe_appctx. The effect is that these contexts are not zeroed and if spoe_stop_processing() is called, "sa->cur_fpa--" will be applied to one of these recently freed contexts and will corrupt random memory locations, as found at least in bugs #1494 and #1525. This must be backported to all stable versions. Many thanks to Christian Ruppert from Babiel for exchanging so many useful traces over the last two months, testing debugging code and helping set up a similar environment to reproduce it! --- src/flt_spoe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 3f17bcb615..0badee3f8c 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -1282,7 +1282,7 @@ spoe_release_appctx(struct appctx *appctx) task_wakeup(ctx->strm->task, TASK_WOKEN_MSG); } - if (!LIST_ISEMPTY(&agent->rt[tid].applets)) { + if (!LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) { list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) { if (ctx->spoe_appctx == spoe_appctx) ctx->spoe_appctx = NULL; -- 2.39.5