upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-03 16:15:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

BUG/MEDIUM: conn: fix UAF on connection after reversal on edge

Browse source 
When a connection is reversed, some elements must be resetted prior to
reusing it. Most notably, connection must be removed from lists specific
on frontend/backend sides.

When reverse was performed for frontend to backend side, connection was
not removed via its <stopping_list> attach point. On previous releases,
this did not cause any issue. However, crashes start to occur recently,
probably due to the recent reorganization of connection list attach
points from the following patch.

  commit a96f1286a7
  BUG/MINOR: connection: rearrange union list members

To fix this, simply ensure that <stopping_list> detach is performed via
conn_reverse().

This patch must be backported up to 3.0 release.
This commit is contained in:
Amaury Denoyelle 2025-09-04 16:35:49 +02:00
parent 93cc18ac42
commit 27ff7ff296
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/connection.c
View file

@ -2961,6 +2961,8 @@ int conn_reverse(struct connection *conn)
struct server *srv = objt_server(conn->reverse.target);
BUG_ON(!srv);
LIST_DEL_INIT(&conn->stopping_list);
if (conn_backend_init(conn))
return 1;