From e2c65ba344bbe11c3dd595e68335893282aa02ef Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Sat, 10 Apr 2021 09:02:32 +0200
Subject: [PATCH] BUG/MINOR: mux-pt: Fix a possible UAF because of traces in
 mux_pt_io_cb

In mux_pt_io_cb(), if a connection error or a shutdown is detected, the mux
is destroyed. Thus we must be careful to not use it in a trace message once
destroyed.

No backport needed. This patch should fix the issue #1220.
---
 src/mux_pt.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/mux_pt.c b/src/mux_pt.c
index eff43d26f..3a36f373e 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -250,17 +250,16 @@ struct task *mux_pt_io_cb(struct task *t, void *tctx, unsigned int status)
 	}
 	conn_ctrl_drain(ctx->conn);
 	if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
-		TRACE_DEVEL("destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
+		TRACE_DEVEL("leaving destroying pt context", PT_EV_CONN_WAKE, ctx->conn);
 		mux_pt_destroy(ctx);
 		t = NULL;
 	}
 	else {
-		TRACE_DEVEL("subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
 		ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
 					   &ctx->wait_event);
+		TRACE_DEVEL("leaving subscribing for reads", PT_EV_CONN_WAKE, ctx->conn);
 	}
 
-	TRACE_LEAVE(PT_EV_CONN_WAKE, ctx->conn);
 	return t;
 }