diff options
| author | Amaury Denoyelle <adenoyelle@haproxy.com> | 2023-05-12 16:29:48 +0200 |
|---|---|---|
| committer | Amaury Denoyelle <adenoyelle@haproxy.com> | 2023-05-12 16:37:27 +0200 |
| commit | ee65efbfaea35df4038ec9a9a0fb8c63ad0eb0cc (patch) | |
| tree | c736be064afe0180ae668af2b8c060d91e98e813 | |
| parent | 6c501ed23bea953518059117e7dd19e8d6cb6bd8 (diff) | |
| download | haproxy-ee65efbfaea35df4038ec9a9a0fb8c63ad0eb0cc.tar.gz | |
BUG/MINOR: mux-quic: free task on qc_init() app ops failure
qc_init() is used to initialize a QUIC MUX instance. On failure, each
resources are released via a series of goto statements. There is one
issue if the app_ops.init callback fails. In this case, MUX task is not
freed.
This can cause a crash as the task is already scheduled. When the
handler will run, it will crash when trying to access qcc instance.
To fix this, properly destroy qcc task on fail_install_app_ops label.
The impact of this bug is minor as app_ops.init callback succeeds most
of the time. However, it may fail on allocation failure due to memory
exhaustion.
This may fix github issue #2154.
This must be backported up to 2.7.
| -rw-r--r-- | src/mux_quic.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/mux_quic.c b/src/mux_quic.c index 15fd5702b..1ac995679 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -2569,6 +2569,7 @@ static int qc_init(struct connection *conn, struct proxy *prx, fail_install_app_ops: if (qcc->app_ops && qcc->app_ops->release) qcc->app_ops->release(qcc->ctx); + task_destroy(qcc->task); fail_no_timeout_task: tasklet_free(qcc->wait_event.tasklet); fail_no_tasklet: |