BUG/MEDIUM: mux-h1: properly destroy a partially allocated h1s
In h1c_frt_stream_new() and h1c_bck_stream_new(), if we fail to completely
initialize the freshly allocated h1s, typically because sc_attach_mux()
fails, we must use h1s_destroy() to de-initialize it. Otherwise it stays
attached to the h1c when released, causing use-after-free upon the next
wakeup. This can be triggered upon memory shortage.
This needs to be backported to 2.6.
diff --git a/src/mux_h1.c b/src/mux_h1.c
index 697924a..20f7a12 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -305,6 +305,7 @@
static void h1_shutw_conn(struct connection *conn);
static void h1_wake_stream_for_recv(struct h1s *h1s);
static void h1_wake_stream_for_send(struct h1s *h1s);
+static void h1s_destroy(struct h1s *h1s);
/* returns the stconn associated to the H1 stream */
static forceinline struct stconn *h1s_sc(const struct h1s *h1s)
@@ -803,7 +804,7 @@
fail:
TRACE_DEVEL("leaving on error", H1_EV_STRM_NEW|H1_EV_STRM_ERR, h1c->conn);
- pool_free(pool_head_h1s, h1s);
+ h1s_destroy(h1s);
return NULL;
}
@@ -837,7 +838,7 @@
fail:
TRACE_DEVEL("leaving on error", H1_EV_STRM_NEW|H1_EV_STRM_ERR, h1c->conn);
- pool_free(pool_head_h1s, h1s);
+ h1s_destroy(h1s);
return NULL;
}