BUG/MEDIUM: httpclient: always detach the caller before self-killing

If the caller dies before the server responds, the httpclient can crash in hc_cli_res_end_cb() when unregistering because it dereferences hc->caller which was already freed during the caller's unregistration. The easiest way to reproduce it is by sending twice the following request on the same CLI connection in expert mode, with httpterm running on local port 8000: httpclient GET http://127.0.0.1:8000/?t=600 Note the 600ms delay that's larger than socat's default 500. The code checks for a NULL everywhere hc->caller is used, but the NULL was forgotten in this specific case. It must be placed in the second half of httpclient_stop_and_destroy() which is responsible for signaling the client that the caller leaves. This must be backported to 2.6.
2025-03-06 19:38:22 +00:00 · 2022-09-01 20:40:26 +02:00 · 2022-09-01 20:40:26 +02:00 · b48292068b
commit b48292068b
parent d8a44d0b24
1 changed files with 3 additions and 1 deletions
--- a/src/http_client.c
+++ b/src/http_client.c
@ -567,8 +567,10 @@ void httpclient_stop_and_destroy(struct httpclient *hc)
 	if (hc->flags & HTTPCLIENT_FS_ENDED || !(hc->flags & HTTPCLIENT_FS_STARTED)) {
 		httpclient_destroy(hc);
 	} else {
-	/* if the client wasn't stopped, ask for a stop and destroy */
+		/* if the client wasn't stopped, ask for a stop and destroy */
 		hc->flags |= (HTTPCLIENT_FA_AUTOKILL | HTTPCLIENT_FA_STOP);
+		/* the calling applet doesn't exist anymore */
+		hc->caller = NULL;
 		if (hc->appctx)
 			appctx_wakeup(hc->appctx);
 	}