Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 16b2be93ad9e7db2d57ca5aaa4ca629efecd6530^! / .
commit16b2be93ad9e7db2d57ca5aaa4ca629efecd6530[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Thu Jul 04 11:59:42 2019 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Fri Jul 05 14:26:15 2019 +0200
tree807b9b73ab020c7f9570adc9618bec49bbda96fa
parent8f1aa77b423b85012c062149f16ceb8f3aacefea [diff]
BUG/MEDIUM: lb_fas: Don't test the server's lb_tree from outside the lock

In the function fas_srv_reposition(), the server's lb_tree is tested from
outside the lock. So it is possible to remove it after the test and then call
eb32_insert() in fas_queue_srv() with a NULL root pointer, which is
invalid. Moving the test in the scope of the lock fixes the bug.

This issue was reported on Github, issue #126.

This patch must be backported to 2.0, 1.9 and 1.8.

diff --git a/src/lb_fas.c b/src/lb_fas.c
index 69b85d7..6b72099 100644
--- a/src/lb_fas.c
+++ b/src/lb_fas.c

@@ -70,12 +70,11 @@
  */
 static void fas_srv_reposition(struct server *s)
 {
-	if (!s->lb_tree)
-		return;
-
 	HA_SPIN_LOCK(LBPRM_LOCK, &s->proxy->lbprm.lock);
-	fas_dequeue_srv(s);
-	fas_queue_srv(s);
+	if (s->lb_tree) {
+		fas_dequeue_srv(s);
+		fas_queue_srv(s);
+	}
 	HA_SPIN_UNLOCK(LBPRM_LOCK, &s->proxy->lbprm.lock);
 }