BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream before freeing.
On error, make sure we don't have a conn_stream before freeing the connection
and the associated mux context. Otherwise a stream will still reference
the connection, and attempt to use it.
If we still have a conn_stream, it will properly be free'd when the detach
method is called, anyway.
This should be backported to 2.0 and 1.9.
diff --git a/src/mux_pt.c b/src/mux_pt.c
index a86cbef..b957ed6 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -51,9 +51,10 @@
struct mux_pt_ctx *ctx = tctx;
conn_sock_drain(ctx->conn);
- if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))
- mux_pt_destroy(ctx);
- else
+ if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
+ if (!ctx->cs)
+ mux_pt_destroy(ctx);
+ } else
ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
&ctx->wait_event);
@@ -193,7 +194,7 @@
!(conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))) {
ctx->cs = NULL;
conn->xprt->subscribe(conn, conn->xprt_ctx, SUB_RETRY_RECV, &ctx->wait_event);
- } else
+ } else if (!ctx->cs)
/* There's no session attached to that connection, destroy it */
mux_pt_destroy(ctx);
}