[BUG] session: risk of crash on out of memory (1.5-dev regression)
Patch af5149 introduced an issue which can be detected only on out of
memory conditions : a LIST_DEL() may be performed on an uninitialized
struct member instead of a LIST_INIT() during the accept() phase,
causing crashes and memory corruption to occur.
This issue was detected and diagnosed by the Exceliance R&D team.
This is 1.5-specific and very recent, so no existing deployment should
be impacted.
diff --git a/include/proto/session.h b/include/proto/session.h
index 810fe44..78a2222 100644
--- a/include/proto/session.h
+++ b/include/proto/session.h
@@ -240,6 +240,12 @@
LIST_DEL(&sess->by_srv);
}
+static void inline session_init_srv_conn(struct session *sess)
+{
+ sess->srv_conn = NULL;
+ LIST_INIT(&sess->by_srv);
+}
+
#endif /* _PROTO_SESSION_H */
/*
diff --git a/src/peers.c b/src/peers.c
index f253280..47d9fe1 100644
--- a/src/peers.c
+++ b/src/peers.c
@@ -1185,7 +1185,7 @@
stream_sock_prepare_interface(&s->si[1]);
s->si[1].release = NULL;
- session_del_srv_conn(s);
+ session_init_srv_conn(s);
clear_target(&s->target);
s->pend_pos = NULL;
diff --git a/src/session.c b/src/session.c
index ae720cf..6e3a525 100644
--- a/src/session.c
+++ b/src/session.c
@@ -201,7 +201,7 @@
if (likely(s->fe->options2 & PR_O2_INDEPSTR))
s->si[1].flags |= SI_FL_INDEP_STR;
- session_del_srv_conn(s);
+ session_init_srv_conn(s);
clear_target(&s->target);
s->pend_pos = NULL;