BUG/MAJOR: dns: tcp session can remain attached to a list after a free Using tcp, after a session release and free, the session can remain attached to the list of sessions with a response message waiting for a commit (ds->waiter). This results to a use after free of this session. Also, on some error path and after free, a session could remain attached to the lists of available idle/free sessions (ds->list). This patch ensure to remove the session from those external lists before a free. This patch should be backported to all version including the dns over tcp (2.4) (cherry picked from commit d20dc21eeca1d5e936f7a8bfd3d865a032499c65) Signed-off-by: Willy Tarreau <w@1wt.eu>

commit: b18a95b1757f841d64f8820d2ce339710cf949e6 [log] [tgz]
author: Emeric Brun <ebrun@haproxy.com> Tue Oct 19 15:40:10 2021 +0200
committer: Willy Tarreau <w@1wt.eu> Wed Oct 20 18:25:54 2021 +0200
tree: 60044d55927156172a98243cf01568927d9dd9ab
parent: bd0174758fed578d685c52271b030b10c475fb2b [diff] [blame]
diff --git a/src/dns.c b/src/dns.c
index d4bf839..cc75d4a 100644
--- a/src/dns.c
+++ b/src/dns.c

@@ -758,6 +758,13 @@
 
 	dns_queries_flush(ds);
 
+	/* Ensure to remove this session from external lists
+	 * Note: we are under the lock of dns_stream_server
+	 * which own the heads of those lists.
+	 */
+	LIST_DEL_INIT(&ds->waiter);
+	LIST_DEL_INIT(&ds->list);
+
 	ds->dss->cur_conns--;
 	/* Note: this is useless to update
 	 * max_active_conns here because
commit	b18a95b1757f841d64f8820d2ce339710cf949e6	[log] [tgz]
author	Emeric Brun <ebrun@haproxy.com>	Tue Oct 19 15:40:10 2021 +0200
committer	Willy Tarreau <w@1wt.eu>	Wed Oct 20 18:25:54 2021 +0200
tree	60044d55927156172a98243cf01568927d9dd9ab
parent	bd0174758fed578d685c52271b030b10c475fb2b [diff] [blame]