From: Willy Tarreau <w@1wt.eu>
Date: Tue, 15 Feb 2022 15:49:37 +0000 (+0100)
Subject: BUG/MAJOR: spoe: properly detach all agents when releasing the applet
X-Git-Tag: v2.5.2~5
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=389fa5ef4528dd55dd5b19d245a0f8788aa126a0;p=haproxy-2.5.git

BUG/MAJOR: spoe: properly detach all agents when releasing the applet

There's a bug in spoe_release_appctx() which checks the presence of items
in the wrong list rt[tid].agents to run over rt[tid].waiting_queue and
zero their spoe_appctx. The effect is that these contexts are not zeroed
and if spoe_stop_processing() is called, "sa->cur_fpa--" will be applied
to one of these recently freed contexts and will corrupt random memory
locations, as found at least in bugs #1494 and #1525.

This must be backported to all stable versions.

Many thanks to Christian Ruppert from Babiel for exchanging so many
useful traces over the last two months, testing debugging code and
helping set up a similar environment to reproduce it!

(cherry picked from commit b042e4f6f7dca655a337fc9ffe1a5e4f25440868)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 3f17bcb..0badee3 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -1282,7 +1282,7 @@ spoe_release_appctx(struct appctx *appctx)
 		task_wakeup(ctx->strm->task, TASK_WOKEN_MSG);
 	}
 
-	if (!LIST_ISEMPTY(&agent->rt[tid].applets)) {
+	if (!LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) {
 		list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) {
 			if (ctx->spoe_appctx == spoe_appctx)
 				ctx->spoe_appctx = NULL;