From 389fa5ef4528dd55dd5b19d245a0f8788aa126a0 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 15 Feb 2022 16:49:37 +0100 Subject: [PATCH] BUG/MAJOR: spoe: properly detach all agents when releasing the applet There's a bug in spoe_release_appctx() which checks the presence of items in the wrong list rt[tid].agents to run over rt[tid].waiting_queue and zero their spoe_appctx. The effect is that these contexts are not zeroed and if spoe_stop_processing() is called, "sa->cur_fpa--" will be applied to one of these recently freed contexts and will corrupt random memory locations, as found at least in bugs #1494 and #1525. This must be backported to all stable versions. Many thanks to Christian Ruppert from Babiel for exchanging so many useful traces over the last two months, testing debugging code and helping set up a similar environment to reproduce it! (cherry picked from commit b042e4f6f7dca655a337fc9ffe1a5e4f25440868) Signed-off-by: Willy Tarreau --- src/flt_spoe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 3f17bcb..0badee3 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -1282,7 +1282,7 @@ spoe_release_appctx(struct appctx *appctx) task_wakeup(ctx->strm->task, TASK_WOKEN_MSG); } - if (!LIST_ISEMPTY(&agent->rt[tid].applets)) { + if (!LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) { list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) { if (ctx->spoe_appctx == spoe_appctx) ctx->spoe_appctx = NULL; -- 1.7.10.4