|
|
- commit d9a130e1962c2a5352f33088c563f4248a102c48
- Author: Willy Tarreau <w@1wt.eu>
- Date: Fri Aug 24 15:48:59 2018 +0200
-
- BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
-
- mux_pt_wake() calls data->wake() which can return -1 indicating that the
- connection was just destroyed. We need to check for this condition and
- immediately exit in this case otherwise we dereference a just freed
- connection. Note that this mainly happens on idle connections between
- two HTTP requests. It can have random implications between requests as
- it may lead a wrong connection's polling to be re-enabled or disabled
- for example, especially with threads.
-
- This patch must be backported to 1.8.
-
- (cherry picked from commit ad7f0ad1c3c9c541a4c315b24d4500405d1383ee)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
- diff --git a/src/mux_pt.c b/src/mux_pt.c
- index a68b9621..c43e30f2 100644
- --- a/src/mux_pt.c
- +++ b/src/mux_pt.c
- @@ -51,6 +51,9 @@ static int mux_pt_wake(struct connection *conn)
-
- ret = cs->data_cb->wake ? cs->data_cb->wake(cs) : 0;
-
- + if (ret < 0)
- + return ret;
- +
- /* If we had early data, and we're done with the handshake
- * then whe know the data are safe, and we can remove the flag.
- */
|