BUG/MINOR: mux-pt: Fix a possible UAF because of traces in mux_pt_io_cb In mux_pt_io_cb(), if a connection error or a shutdown is detected, the mux is destroyed. Thus we must be careful to not use it in a trace message once destroyed. No backport needed. This patch should fix the issue #1220.

commit: e2c65ba344bbe11c3dd595e68335893282aa02ef [log] [tgz]
author: Christopher Faulet <cfaulet@haproxy.com> Sat Apr 10 09:02:32 2021 +0200
committer: Christopher Faulet <cfaulet@haproxy.com> Sat Apr 10 09:02:36 2021 +0200
tree: 621e4d3123b37fc7d6b7f8f1639373c98a3ed677
parent: c0ae097b95ab4b4961790e57069a374a1cdbef4a [diff]
diff --git a/src/mux_pt.c b/src/mux_pt.c
index eff43d2..3a36f37 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c

@@ -250,17 +250,16 @@
 	}
 	conn_ctrl_drain(ctx->conn);
 	if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
-		TRACE_DEVEL("destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
+		TRACE_DEVEL("leaving destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
 		mux_pt_destroy(ctx);
 		t = NULL;
 	}
 	else {
-		TRACE_DEVEL("subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
 		ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
 					   &ctx->wait_event);
+		TRACE_DEVEL("leaving subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
 	}
 
-	TRACE_LEAVE(PT_EV_CONN_WAKE, ctx->conn);
 	return t;
 }
commit	e2c65ba344bbe11c3dd595e68335893282aa02ef	[log] [tgz]
author	Christopher Faulet <cfaulet@haproxy.com>	Sat Apr 10 09:02:32 2021 +0200
committer	Christopher Faulet <cfaulet@haproxy.com>	Sat Apr 10 09:02:36 2021 +0200
tree	621e4d3123b37fc7d6b7f8f1639373c98a3ed677
parent	c0ae097b95ab4b4961790e57069a374a1cdbef4a [diff]