RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-17 17:04:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: Make sure we leave the session list in session_free().

Browse Source 
In session_free(), if we're about to destroy a connection that had no mux,
make sure we leave the session_list before calling conn_free(). Otherwise,
conn_free() would call session_unown_conn(), which would potentially free
the associated srv_list, but session_free() also frees it, so that would
lead to a double free, and random memory corruption.

This should be backported to 1.9 and 2.0.
This commit is contained in:
Olivier Houchard 2019-11-14 19:26:14 +01:00 committed by Olivier Houchard
parent 9ada030697
commit a132e5efa9
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/session.c
View File

@ -90,6 +90,10 @@ void session_free(struct session *sess)
/* We have a connection, but not yet an associated mux.
* So destroy it now.
*/
if (!LIST_ISEMPTY(&conn->session_list)) {
LIST_DEL(&conn->session_list);
LIST_INIT(&conn->session_list);
}
conn_stop_tracking(conn);
conn_full_close(conn);
conn_free(conn);