BUG/MEDIUM: muxes: Use the right argument when calling the destroy method.

When calling the mux "destroy" method, the argument should be the mux
context, not the connection. In a few instances in the mux code, the
connection was used (mainly when the session wouldn't handle the idle
connection, and the server pool was fool), and that could lead to random
segfaults.

This should be backported to 2.1, 2.0, and 1.9

(cherry picked from commit 12ffab03b6b911f4a60871b098656a29253e0e9b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index f8ee0b7..3fa4b70 100644 (file)
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -3487,7 +3487,7 @@ static void fcgi_detach(struct conn_stream *cs)
                                if (eb_is_empty(&fconn->streams_by_id)) {
                                        if (!srv_add_to_idle_list(objt_server(fconn->conn->target), fconn->conn)) {
                                                /* The server doesn't want it, let's kill the connection right away */
-                                               fconn->conn->mux->destroy(fconn->conn);
+                                               fconn->conn->mux->destroy(fconn);
                                                TRACE_DEVEL("outgoing connection killed", FCGI_EV_STRM_END|FCGI_EV_FCONN_ERR);
                                        }
                                        TRACE_DEVEL("reusable idle connection", FCGI_EV_STRM_END, fconn->conn);

diff --git a/src/mux_h1.c b/src/mux_h1.c
index b76a58f..3e55f1c 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -2391,7 +2391,7 @@ static void h1_detach(struct conn_stream *cs)
                                h1c->conn->owner = NULL;
                                if (!srv_add_to_idle_list(objt_server(h1c->conn->target), h1c->conn)) {
                                        /* The server doesn't want it, let's kill the connection right away */
-                                       h1c->conn->mux->destroy(h1c->conn);
+                                       h1c->conn->mux->destroy(h1c);
                                        TRACE_DEVEL("outgoing connection killed", H1_EV_STRM_END|H1_EV_H1C_END);
                                        goto end;
                                }

diff --git a/src/mux_h2.c b/src/mux_h2.c
index 15a5cd7..33775dc 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3911,7 +3911,7 @@ static void h2_detach(struct conn_stream *cs)
                                        if (eb_is_empty(&h2c->streams_by_id)) {
                                                if (!srv_add_to_idle_list(objt_server(h2c->conn->target), h2c->conn))
                                                        /* The server doesn't want it, let's kill the connection right away */
-                                                       h2c->conn->mux->destroy(h2c->conn);
+                                                       h2c->conn->mux->destroy(h2c);
                                                TRACE_DEVEL("leaving on error after killing outgoing connection", H2_EV_STRM_END|H2_EV_H2C_ERR);
                                                return;
                                        }