From f94afebb946eb550f1cd1c8159d2ba5d7323e5f3 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 27 Mar 2019 14:19:10 +0100 Subject: [PATCH] BUG/MEDIUM: mworker: don't free the wrong child when not found A bug occurs when the sigchld handler is called and a child which is not in the process list just left, or with an empty process list. The child variable won't be set and left as an uninitialized variable or set to the wrong child entry, which can lead to a free of this uninitialized variable or of the wrong child. This can lead to a crash of the master during a stop or a reload. It is not supposed to happen with a worker which was created by the master. A cause could be a fork made by a dependency. (openssl, lua ?) This patch strengthens the case of the missing child by doing the free only if the child was found. This patch must be backported to 1.9. --- src/haproxy.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index cbcc80cdfe..30abbd73de 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -835,9 +835,12 @@ static void mworker_catch_sigchld(struct sig_handler *sh) int exitpid = -1; int status = 0; struct mworker_proc *child, *it; + int childfound; restart_wait: + childfound = 0; + exitpid = waitpid(-1, &status, WNOHANG); if (exitpid > 0) { if (WIFEXITED(status)) @@ -855,10 +858,11 @@ restart_wait: LIST_DEL(&child->list); close(child->ipc_fd[0]); + childfound = 1; break; } - if (!children) { + if (!children || !childfound) { ha_warning("Worker %d exited with code %d (%s)\n", exitpid, status, (status >= 128) ? strsignal(status - 128) : "Exit"); } else { /* check if exited child was in the current children list */ @@ -875,8 +879,8 @@ restart_wait: ha_warning("Former worker #%d (%d) exited with code %d (%s)\n", child->relative_pid, exitpid, status, (status >= 128) ? strsignal(status - 128) : "Exit"); delete_oldpid(exitpid); } + free(child); } - free(child); /* do it again to check if it was the last worker */ goto restart_wait; -- 2.47.3