Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 61840e715f37b71c4b30d68b8b2e79106a3799dc^! / .
commit61840e715f37b71c4b30d68b8b2e79106a3799dc[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Mon Apr 15 09:33:32 2019 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Mon Apr 15 09:47:10 2019 +0200
tree91bc59b8b86f49999e52147a08ab2ac22a02e741
parent78f31bf07aa2291ab8368d5ad54107577b992d50 [diff]
BUG/MEDIUM: muxes: Don't dereference mux context if null in release functions

When a mux context is released, we must be sure it exists before dereferencing
it. The bug was introduced in the commit 39a96ee16 ("MEDIUM: muxes: Be prepared
to don't own connection during the release").

No need to backport this patch, expect if the commit 39a96ee16 is backported
too.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 5ea5f3c..3a031e0 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c

@@ -445,14 +445,14 @@
  */
 static void h1_release(struct h1c *h1c)
 {
-	struct connection *conn = h1c->conn;
-
-	/* The connection was attached to another mux */
-	if (conn && conn->ctx != h1c)
-		conn = NULL;
+	struct connection *conn = NULL;
 
 	if (h1c) {
-		if (h1c->flags & H1C_F_UPG_H2C) {
+		/* The connection must be aattached to this mux to be released */
+		if (h1c->conn && h1c->conn->ctx == h1c)
+			conn = h1c->conn;
+
+		if (conn && h1c->flags & H1C_F_UPG_H2C) {
 			h1c->flags &= ~H1C_F_UPG_H2C;
 			if (conn_upgrade_mux_fe(conn, NULL, &h1c->ibuf, ist("h2"), PROTO_MODE_HTX) != -1) {
 				/* connection successfully upgraded to H2, this
@@ -462,6 +462,7 @@
 			sess_log(conn->owner); /* Log if the upgrade failed */
 		}
 
+
 		if (!LIST_ISEMPTY(&h1c->buf_wait.list)) {
 			HA_SPIN_LOCK(BUF_WQ_LOCK, &buffer_wq_lock);
 			LIST_DEL(&h1c->buf_wait.list);

diff --git a/src/mux_h2.c b/src/mux_h2.c
index 48876ee..894c4bd 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c

@@ -619,14 +619,13 @@
  */
 static void h2_release(struct h2c *h2c)
 {
-	struct connection *conn = h2c->conn;
-
-	/* The connection was attached to another mux (unexpected but safer to
-	 * check) */
-	if (conn && conn->ctx != h2c)
-		conn = NULL;
+	struct connection *conn = NULL;;
 
 	if (h2c) {
+		/* The connection must be aattached to this mux to be released */
+		if (h2c->conn && h2c->conn->ctx == h2c)
+			conn = h2c->conn;
+
 		hpack_dht_free(h2c->ddht);
 
 		HA_SPIN_LOCK(BUF_WQ_LOCK, &buffer_wq_lock);

diff --git a/src/mux_pt.c b/src/mux_pt.c
index 82ba124..278a8f5 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c

@@ -26,13 +26,10 @@
 
 static void mux_pt_destroy(struct mux_pt_ctx *ctx)
 {
-	struct connection *conn = ctx->conn;
-
-	/* The connection was attached to another mux */
-	if (conn && conn->ctx != ctx)
-		conn = NULL;
+	/* The connection must be aattached to this mux to be released */
+	if (ctx && ctx->conn && ctx->conn->ctx == ctx) {
+		struct connection *conn = ctx->conn;
 
-	if (conn) {
 		conn_stop_tracking(conn);
 		conn_full_close(conn);
 		tasklet_free(ctx->wait_event.task);