RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-16 08:24:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MAJOR: dns: tcp session can remain attached to a list after a free

Browse Source 
Using tcp, after a session release and free, the session can remain
attached to the list of sessions with a response message waiting for
a commit (ds->waiter). This results to a use after free of this
session.

Also, on some error path and after free, a session could remain attached
to the lists of available idle/free sessions (ds->list).

This patch ensure to remove the session from those external lists
before a free.

This patch should be backported to all version including
the dns over tcp (2.4)
This commit is contained in:
Emeric Brun 2021-10-19 15:40:10 +02:00 committed by Willy Tarreau
parent d16e7dd0e4
commit d20dc21eec
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/dns.c
View File

@ -758,6 +758,13 @@ void dns_session_free(struct dns_session *ds)
dns_queries_flush(ds);
/* Ensure to remove this session from external lists
* Note: we are under the lock of dns_stream_server
* which own the heads of those lists.
*/
LIST_DEL_INIT(&ds->waiter);
LIST_DEL_INIT(&ds->list);
ds->dss->cur_conns--;
/* Note: this is useless to update
* max_active_conns here because