BUG/MEDIUM: http-ana: Don't release too early the L7 buffer

In some cases, the buffer used to store the request to be able to perform a L7 retry is released released too early, leading to a crash because a retry is performed with an empty request. First, there is a test on invalid 101 responses that may be caught by the "junk-response" retry policy. Then, it is possible to get an error (empty-response, bad status code...) after an interim response. In both cases, the L7 buffer is already released while it should not. To fix the issue, the L7 buffer is now released at the end of the AN_RES_WAIT_HTTP analyser, but only when a response was successfully received and processed. In all error cases, the stream is quickly released, with the L7 buffer. So there is no leak and it is safer this way. This patch may fix the issue haproxy#2793. It must be as far as 2.4.
FireBurn · Nov 25, 2024 · dc15581 · dc15581
1 parent ceb80ae
commit dc15581
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/http_ana.c b/src/http_ana.c
@@ -1451,9 +1451,6 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
 		return 0;
 	}
 
-	/* Now, L7 buffer is useless, it can be released */
-	b_free(&txn->l7_buffer);
-
 	msg->msg_state = HTTP_MSG_BODY;
 
 
@@ -1642,6 +1639,9 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
 	}
 
   end:
+	/* Now, L7 buffer is useless, it can be released */
+	b_free(&txn->l7_buffer);
+
 	/* we want to have the response time before we start processing it */
 	s->logs.t_data = ns_to_ms(now_ns - s->logs.accept_ts);