BUG/MEDIUM: httpclient: always detach the caller before self-killing

If the caller dies before the server responds, the httpclient can crash in hc_cli_res_end_cb() when unregistering because it dereferences hc->caller which was already freed during the caller's unregistration. The easiest way to reproduce it is by sending twice the following request on the same CLI connection in expert mode, with httpterm running on local port 8000: httpclient GET http://127.0.0.1:8000/?t=600 Note the 600ms delay that's larger than socat's default 500. The code checks for a NULL everywhere hc->caller is used, but the NULL was forgotten in this specific case. It must be placed in the second half of httpclient_stop_and_destroy() which is responsible for signaling the client that the caller leaves. This must be backported to 2.6. (cherry picked from commit b48292068bee8a54ed33a9e809c56ddcc566396c) Signed-off-by: Willy Tarreau <w@1wt.eu>
2022-09-01 20:40:26 +02:00 · 2022-09-01 20:40:26 +02:00 · 19e72e569f
commit 19e72e569f
parent 556b6931df
1 changed files with 3 additions and 1 deletions
--- a/src/http_client.c
+++ b/src/http_client.c
@ -567,8 +567,10 @@ void httpclient_stop_and_destroy(struct httpclient *hc)
 	if (hc->flags & HTTPCLIENT_FS_ENDED || !(hc->flags & HTTPCLIENT_FS_STARTED)) {
 		httpclient_destroy(hc);
 	} else {
-	/* if the client wasn't stopped, ask for a stop and destroy */
+		/* if the client wasn't stopped, ask for a stop and destroy */
 		hc->flags |= (HTTPCLIENT_FA_AUTOKILL | HTTPCLIENT_FA_STOP);
+		/* the calling applet doesn't exist anymore */
+		hc->caller = NULL;
 		if (hc->appctx)
 			appctx_wakeup(hc->appctx);
 	}