RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-11 05:48:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MAJOR: spoe: properly detach all agents when releasing the applet

Browse Source 
There's a bug in spoe_release_appctx() which checks the presence of items
in the wrong list rt[tid].agents to run over rt[tid].waiting_queue and
zero their spoe_appctx. The effect is that these contexts are not zeroed
and if spoe_stop_processing() is called, "sa->cur_fpa--" will be applied
to one of these recently freed contexts and will corrupt random memory
locations, as found at least in bugs #1494 and #1525.

This must be backported to all stable versions.

Many thanks to Christian Ruppert from Babiel for exchanging so many
useful traces over the last two months, testing debugging code and
helping set up a similar environment to reproduce it!
This commit is contained in:
Willy Tarreau 2022-02-15 16:49:37 +01:00
parent bfb15ab34e
commit b042e4f6f7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/flt_spoe.c
View File

@ -1282,7 +1282,7 @@ spoe_release_appctx(struct appctx *appctx)
task_wakeup(ctx->strm->task, TASK_WOKEN_MSG);
}
if (!LIST_ISEMPTY(&agent->rt[tid].applets)) {
if (!LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) {
list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) {
if (ctx->spoe_appctx == spoe_appctx)
ctx->spoe_appctx = NULL;