From dc15581c02171eeb49ef3ffbab0f583f38482b4c Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 25 Nov 2024 22:05:27 +0100 Subject: [PATCH] BUG/MEDIUM: http-ana: Don't release too early the L7 buffer In some cases, the buffer used to store the request to be able to perform a L7 retry is released released too early, leading to a crash because a retry is performed with an empty request. First, there is a test on invalid 101 responses that may be caught by the "junk-response" retry policy. Then, it is possible to get an error (empty-response, bad status code...) after an interim response. In both cases, the L7 buffer is already released while it should not. To fix the issue, the L7 buffer is now released at the end of the AN_RES_WAIT_HTTP analyser, but only when a response was successfully received and processed. In all error cases, the stream is quickly released, with the L7 buffer. So there is no leak and it is safer this way. This patch may fix the issue #2793. It must be as far as 2.4. --- src/http_ana.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/http_ana.c b/src/http_ana.c index 0a5ba007a62c0..1dae2ee191623 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -1451,9 +1451,6 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) return 0; } - /* Now, L7 buffer is useless, it can be released */ - b_free(&txn->l7_buffer); - msg->msg_state = HTTP_MSG_BODY; @@ -1642,6 +1639,9 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) } end: + /* Now, L7 buffer is useless, it can be released */ + b_free(&txn->l7_buffer); + /* we want to have the response time before we start processing it */ s->logs.t_data = ns_to_ms(now_ns - s->logs.accept_ts);