34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
|
commit d9a130e1962c2a5352f33088c563f4248a102c48
|
||
|
|
Author: Willy Tarreau <w@1wt.eu>
|
||
|
|
Date: Fri Aug 24 15:48:59 2018 +0200
|
||
|
|
|
||
|
|
BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
|
||
|
|
|
||
|
|
mux_pt_wake() calls data->wake() which can return -1 indicating that the
|
||
|
|
connection was just destroyed. We need to check for this condition and
|
||
|
|
immediately exit in this case otherwise we dereference a just freed
|
||
|
|
connection. Note that this mainly happens on idle connections between
|
||
|
|
two HTTP requests. It can have random implications between requests as
|
||
|
|
it may lead a wrong connection's polling to be re-enabled or disabled
|
||
|
|
for example, especially with threads.
|
||
|
|
|
||
|
|
This patch must be backported to 1.8.
|
||
|
|
|
||
|
|
(cherry picked from commit ad7f0ad1c3c9c541a4c315b24d4500405d1383ee)
|
||
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||
|
|
|
||
|
|
diff --git a/src/mux_pt.c b/src/mux_pt.c
|
||
|
|
index a68b9621..c43e30f2 100644
|
||
|
|
--- a/src/mux_pt.c
|
||
|
|
+++ b/src/mux_pt.c
|
||
|
|
@@ -51,6 +51,9 @@ static int mux_pt_wake(struct connection *conn)
|
||
|
|
|
||
|
|
ret = cs->data_cb->wake ? cs->data_cb->wake(cs) : 0;
|
||
|
|
|
||
|
|
+ if (ret < 0)
|
||
|
|
+ return ret;
|
||
|
|
+
|
||
|
|
/* If we had early data, and we're done with the handshake
|
||
|
|
* then whe know the data are safe, and we can remove the flag.
|
||
|
|
*/
|