BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error
In get_pipe(), if pipe() fails, we free the pipe struct but return it to
the caller, resulting in a use-after-free then a double-free provoking a
crash. It's quite hard to trigger the problem as it usually involves a
tweaked configuration with heavy use of splicing and too many allocated
pipes of large size, but it does happen in benchmarks.
The bug was introduced with the very first patch adding pipes support
in 1.3.16-rc1, commit 982b6e37e ("[MEDIUM] introduce pipe pools"). As
such, this fix must be backported to all supported versions.
This patch doesn't exist in mainline because it was fixed as a side
effect of commit 876b411f2b ("BUG/MEDIUM: pipe/thread: fix atomicity of
pipe counters") that only affects mainline.
The bug manifests itself as a crash in pool_free() or __pool_get_first()
and is easily worked around by reducing tune.maxpipes, or since 2.0, by
not forcing any value and letting it configure itself based on maxconn
and ulimit-n.
(cherry picked from commit 85aa2eb9e57b022321b64010fead4287a45aae66)
Signed-off-by: Willy Tarreau <w@1wt.eu>
1 file changed