commit e725a7f9bfd8b7fe2e74c62c7c6bf2b9ebf83772 Author: Willy Tarreau Date: Wed Oct 3 10:20:19 2018 +0200 BUG/MINOR: backend: check that the mux installed properly The return value from conn_install_mux() was not checked, so if an inconsistency happens in the code, or a memory allocation fails while initializing the mux, we can crash while using an uninitialized mux. In practice the code inconsistency does not really happen since we cannot configure such a situation, except during development, but the out of memory condition could definitely happen. This should be backported to 1.8 (the code is a bit different there, there are two calls to conn_install_mux()). (cherry picked from commit 33dd4ef81245bb868b22f99b9be45d0791131eec) Signed-off-by: Christopher Faulet diff --git a/src/backend.c b/src/backend.c index 2b6167dc..fc1eac0d 100644 --- a/src/backend.c +++ b/src/backend.c @@ -1163,7 +1163,8 @@ int connect_server(struct stream *s) if (srv) { conn_prepare(srv_conn, protocol_by_family(srv_conn->addr.to.ss_family), srv->xprt); /* XXX: Pick the right mux, when we finally have one */ - conn_install_mux(srv_conn, &mux_pt_ops, srv_cs); + if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0) + return SF_ERR_INTERNAL; } else if (obj_type(s->target) == OBJ_TYPE_PROXY) { /* proxies exclusively run on raw_sock right now */ @@ -1171,7 +1172,8 @@ int connect_server(struct stream *s) if (!objt_cs(s->si[1].end) || !objt_cs(s->si[1].end)->conn->ctrl) return SF_ERR_INTERNAL; /* XXX: Pick the right mux, when we finally have one */ - conn_install_mux(srv_conn, &mux_pt_ops, srv_cs); + if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0) + return SF_ERR_INTERNAL; } else return SF_ERR_INTERNAL; /* how did we get there ? */