From a132e5efa94c962144e78378403c566875a6d37e Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Thu, 14 Nov 2019 19:26:14 +0100 Subject: [PATCH] BUG/MEDIUM: Make sure we leave the session list in session_free(). In session_free(), if we're about to destroy a connection that had no mux, make sure we leave the session_list before calling conn_free(). Otherwise, conn_free() would call session_unown_conn(), which would potentially free the associated srv_list, but session_free() also frees it, so that would lead to a double free, and random memory corruption. This should be backported to 1.9 and 2.0. --- src/session.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/session.c b/src/session.c index 7b2564e8c..c9bdd9421 100644 --- a/src/session.c +++ b/src/session.c @@ -90,6 +90,10 @@ void session_free(struct session *sess) /* We have a connection, but not yet an associated mux. * So destroy it now. */ + if (!LIST_ISEMPTY(&conn->session_list)) { + LIST_DEL(&conn->session_list); + LIST_INIT(&conn->session_list); + } conn_stop_tracking(conn); conn_full_close(conn); conn_free(conn);