RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: mux-h2: fix crash when checking for reverse connection after error 

If the connection is closed in h2_release(), which is indicated by ret<0, we
must not dereference conn anymore. This was introduced in 2.9-dev4 by commit
5053e8914 ("MEDIUM: h2: prevent stream opening before connection reverse
completed") and detected after a few hours of runtime thanks to running with
pool integrity checks and caller enabled. No backport is needed.
This commit is contained in:
Willy Tarreau 2023-08-26 17:05:19 +02:00
parent 518349f08a
commit a7b9baa2cc
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/mux_h2.c
View File

@ -4257,17 +4257,18 @@ static int h2_wake(struct connection *conn)
TRACE_ENTER(H2_EV_H2C_WAKE, conn);
ret = h2_process(h2c);
if (ret >= 0)
if (ret >= 0) {
h2_wake_some_streams(h2c, 0);
/* For active reverse connection, an explicit check is required if an
* error is pending to propagate the error as demux process is blocked
* until reversal. This allows to quickly close the connection and
* prepare a new one.
*/
if (unlikely(conn_reverse_in_preconnect(conn)) && h2c_is_dead(h2c)) {
TRACE_DEVEL("leaving and killing dead connection", H2_EV_STRM_END, h2c->conn);
h2_release(h2c);
/* For active reverse connection, an explicit check is required if an
* error is pending to propagate the error as demux process is blocked
* until reversal. This allows to quickly close the connection and
* prepare a new one.
*/
if (unlikely(conn_reverse_in_preconnect(conn)) && h2c_is_dead(h2c)) {
TRACE_DEVEL("leaving and killing dead connection", H2_EV_STRM_END, h2c->conn);
h2_release(h2c);
}
}
TRACE_LEAVE(H2_EV_H2C_WAKE);