BUG/MEDIUM: conn: fix UAF on connection after reversal on edge

When a connection is reversed, some elements must be resetted prior to
reusing it. Most notably, connection must be removed from lists specific
on frontend/backend sides.

When reverse was performed for frontend to backend side, connection was
not removed via its <stopping_list> attach point. On previous releases,
this did not cause any issue. However, crashes start to occur recently,
probably due to the recent reorganization of connection list attach
points from the following patch.

  commit a96f1286a75246fef6db3e615fabdef1de927d83
  BUG/MINOR: connection: rearrange union list members

To fix this, simply ensure that <stopping_list> detach is performed via
conn_reverse().

This patch must be backported up to 3.0 release.

(cherry picked from commit 27ff7ff296dec073e84cf03106a3e285181c24d8)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit f656fb45fe7e2873541db31308c010fbc78ff6e3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 8faba2b9062ce4ade65cee5ec556c111b54c2390)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/connection.c b/src/connection.c
index 6f2a756..561b9af 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -2919,6 +2919,8 @@ int conn_reverse(struct connection *conn)
                struct server *srv = objt_server(conn->reverse.target);
                BUG_ON(!srv);
 
+               LIST_DEL_INIT(&conn->stopping_list);
+
                if (conn_backend_init(conn))
                        return 1;