BUG/MEDIUM: session: risk of crash on out of memory conditions In session_accept(), if we face a memory allocation error, we try to emit an HTTP 500 error message in HTTP mode. The problem is that we must not use http_error_message() for this since it dereferences the session which can be NULL in this case. We don't need the session to build the error message anyway since this function only uses it to retrieve the backend and frontend to get the most suited error message. Let's pick it ourselves, we're at the beginning of the session, only the frontend is relevant. This bug is 1.5-specific.

commit: 05bf5e1c36194b62e963c422498070a545c2f555 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Sun Oct 20 23:10:28 2013 +0200
committer: Willy Tarreau <w@1wt.eu> Wed Oct 30 07:59:03 2013 +0100
tree: 239a78bb4aebd6742ce3fe43cce897bca09359b2
parent: a054d410db7e3498b66181c0f29cdbf0dd08a532 [diff] [blame]
diff --git a/src/session.c b/src/session.c
index ed55ca4..76bc8f3 100644
--- a/src/session.c
+++ b/src/session.c

@@ -232,7 +232,9 @@
  out_close:
 	if (ret < 0 && l->xprt == &raw_sock && p->mode == PR_MODE_HTTP) {
 		/* critical error, no more memory, try to emit a 500 response */
-		struct chunk *err_msg = http_error_message(s, HTTP_ERR_500);
+		struct chunk *err_msg = &p->errmsg[HTTP_ERR_500];
+		if (!err_msg->str)
+			err_msg = &http_err_chunks[HTTP_ERR_500];
 		send(cfd, err_msg->str, err_msg->len, MSG_DONTWAIT|MSG_NOSIGNAL);
 	}
commit	05bf5e1c36194b62e963c422498070a545c2f555	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Sun Oct 20 23:10:28 2013 +0200
committer	Willy Tarreau <w@1wt.eu>	Wed Oct 30 07:59:03 2013 +0100
tree	239a78bb4aebd6742ce3fe43cce897bca09359b2
parent	a054d410db7e3498b66181c0f29cdbf0dd08a532 [diff] [blame]