mirror/openwrt-packages
1
0
Fork 0
mirror of https://git.openwrt.org/feed/packages.git synced 2024-06-18 13:23:57 +02:00
Code Releases Activity

haproxy: update to version 1.9 patch 02

Browse Source 
- BUILD: fix "make install" to support spaces in the install dirs
 - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks
 - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM.
 - BUG/MINOR: samples: fix unnecessary memcopy converting binary to string.
 - BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information
 - BUG/MEDIUM: pattern: don't load more than once a pattern list.
 - BUG/MEDIUM: ssl: force a full GC in case of memory shortage
 - BUG/MINOR: config: don't inherit the default balance algorithm in frontends
 - BUG/MAJOR: frontend: initialize capture pointers earlier
 - BUG/MINOR: stats: correctly set the request/response analysers
 - DOC: fix typo in the body parser documentation for msg.sov
 - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not trash.size
 - MINOR: sample: add a few basic internal fetches (nbproc, proc, stopping)
 - BUG/MAJOR: sessions: unlink session from list on out of memory
 - BUG/MEDIUM: patterns: previous fix was incomplete
 - BUG/MEDIUM: payload: ensure that a request channel is available

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
This commit is contained in:
Thomas Heil 2014-12-05 13:02:19 +01:00
parent 7c6557b9c3
commit 9912b6cbff
9 changed files with 86 additions and 443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
net/haproxy/Makefile
View File

@ -9,12 +9,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
PKG_VERSION:=1.5.8
PKG_RELEASE:=06
PKG_VERSION:=1.5.9
PKG_RELEASE:=02
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_MD5SUM:=7bffa1afa069d90ce03b7cd9aa0557cd
PKG_MD5SUM:=b7672bb6a8aa188a655b418f3c96f65c
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
PKG_LICENSE:=GPL-2.0

34
net/haproxy/patches/0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch Normal file
View File

@ -0,0 +1,34 @@
From bad3c6f1b6d776e5d9951a3b3054b4dce8922c54 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 26 Nov 2014 13:17:03 +0100
Subject: [PATCH 1/2] BUG/MEDIUM: patterns: previous fix was incomplete
Dmitry Sivachenko <trtrmitya@gmail.com> reported that commit 315ec42
("BUG/MEDIUM: pattern: don't load more than once a pattern list.")
relies on an uninitialised variable in the stack. While it used to
work fine during the tests, if the uninitialized variable is non-null,
some patterns may be aggregated if loaded multiple times, resulting in
slower processing, which was the original issue it tried to address.
The fix needs to be backported to 1.5.
(cherry picked from commit 4deaf39243c4d941998b1b0175bad05b8a287c0b)
---
src/pattern.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pattern.c b/src/pattern.c
index 20547f9..208e33a 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -2096,7 +2096,7 @@ int pattern_read_from_file(struct pattern_head *head, unsigned int refflags,
struct pat_ref *ref;
struct pattern_expr *expr;
struct pat_ref_elt *elt;
- int reuse;
+ int reuse = 0;
/* Lookup for the existing reference. */
ref = pat_ref_lookup(filename);
--
2.0.4

46
net/haproxy/patches/0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch
View File

@ -1,46 +0,0 @@
From 184422d39df1aa27e6ef4c1ae75177489147ec99 Mon Sep 17 00:00:00 2001
From: Arcadiy Ivanov <arcadiy.ivanov@servicemesh.com>
Date: Tue, 4 Nov 2014 07:06:13 -0500
Subject: [PATCH 1/6] BUILD: fix "make install" to support spaces in the
install dirs
Makefile is unable to install into directories containing spaces.
(cherry picked from commit 3785311e64792787de78370fa126fd806734f7fe)
---
Makefile | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/Makefile b/Makefile
index 707037b..9556069 100644
--- a/Makefile
+++ b/Makefile
@@ -710,19 +710,19 @@ src/dlmalloc.o: $(DLMALLOC_SRC)
$(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $<
install-man:
- install -d $(DESTDIR)$(MANDIR)/man1
- install -m 644 doc/haproxy.1 $(DESTDIR)$(MANDIR)/man1
+ install -d "$(DESTDIR)$(MANDIR)"/man1
+ install -m 644 doc/haproxy.1 "$(DESTDIR)$(MANDIR)"/man1
install-doc:
- install -d $(DESTDIR)$(DOCDIR)
+ install -d "$(DESTDIR)$(DOCDIR)"
for x in configuration architecture haproxy-en haproxy-fr; do \
- install -m 644 doc/$$x.txt $(DESTDIR)$(DOCDIR) ; \
+ install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \
done
install-bin: haproxy haproxy-systemd-wrapper
- install -d $(DESTDIR)$(SBINDIR)
- install haproxy $(DESTDIR)$(SBINDIR)
- install haproxy-systemd-wrapper $(DESTDIR)$(SBINDIR)
+ install -d "$(DESTDIR)$(SBINDIR)"
+ install haproxy "$(DESTDIR)$(SBINDIR)"
+ install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)"
install: install-bin install-man install-doc
--
2.0.4

49
net/haproxy/patches/0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch Normal file
View File

@ -0,0 +1,49 @@
From 1e89acb6be9ba6400fe4defd3b6b2cc94c6667d9 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 26 Nov 2014 13:24:24 +0100
Subject: [PATCH 2/2] BUG/MEDIUM: payload: ensure that a request channel is
available
Denys Fedoryshchenko reported a segfault when using certain
sample fetch functions in the "tcp-request connection" rulesets
despite the warnings. This is because some tests for the existence
of the channel were missing.
The fetches which were fixed are :
- req.ssl_hello_type
- rep.ssl_hello_type
- req.ssl_sni
This fix must be backported to 1.5.
(cherry picked from commit 83f2592bcd2e186beeabcba16be16faaab82bd39)
---
src/payload.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/payload.c b/src/payload.c
index 4057f6f..f62163c 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -72,6 +72,9 @@ smp_fetch_ssl_hello_type(struct proxy *px, struct session *s, void *l7, unsigned
chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
+ if (!chn)
+ goto not_ssl_hello;
+
bleft = chn->buf->i;
data = (const unsigned char *)chn->buf->p;
@@ -276,6 +279,9 @@ smp_fetch_ssl_hello_sni(struct proxy *px, struct session *s, void *l7, unsigned
chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
+ if (!chn)
+ goto not_ssl_hello;
+
bleft = chn->buf->i;
data = (unsigned char *)chn->buf->p;
--
2.0.4

87
net/haproxy/patches/0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch
View File

@ -1,87 +0,0 @@
From 90951497008967f10ba8f9927b53c6e6bc138540 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.comw>
Date: Wed, 12 Nov 2014 17:35:37 +0100
Subject: [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause
segfault in case of OOM.
Some SSL context's init functions errors were not handled and
can cause a segfault due to an incomplete SSL context
initialization.
This fix must be backported to 1.5.
(cherry picked from commit 5547615cdac377797ae351a2e024376dbf6d6963)
---
src/ssl_sock.c | 44 ++++++++++++++++++++++++++++++++++----------
1 file changed, 34 insertions(+), 10 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f8bfbe7..620609f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2040,15 +2040,29 @@ static int ssl_sock_init(struct connection *conn)
return -1;
}
- SSL_set_connect_state(conn->xprt_ctx);
- if (objt_server(conn->target)->ssl_ctx.reused_sess)
- SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess);
-
/* set fd on SSL session context */
- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
/* set connection pointer */
- SSL_set_app_data(conn->xprt_ctx, conn);
+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+
+ SSL_set_connect_state(conn->xprt_ctx);
+ if (objt_server(conn->target)->ssl_ctx.reused_sess) {
+ if(!SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess)) {
+ SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
+ objt_server(conn->target)->ssl_ctx.reused_sess = NULL;
+ }
+ }
/* leave init state and start handshake */
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
@@ -2065,13 +2079,23 @@ static int ssl_sock_init(struct connection *conn)
return -1;
}
- SSL_set_accept_state(conn->xprt_ctx);
-
/* set fd on SSL session context */
- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
/* set connection pointer */
- SSL_set_app_data(conn->xprt_ctx, conn);
+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+
+ SSL_set_accept_state(conn->xprt_ctx);
/* leave init state and start handshake */
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
--
2.0.4

104
net/haproxy/patches/0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch
View File

@ -1,104 +0,0 @@
From 9bcc01ae25985dd540080f43b160beab1f1a2bc6 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 13 Nov 2014 13:48:58 +0100
Subject: [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory
shortage
When memory becomes scarce and openssl refuses to allocate a new SSL
session, it is worth freeing the pools and trying again instead of
rejecting all incoming SSL connection. This can happen when some
memory usage limits have been assigned to the haproxy process using
-m or with ulimit -m/-v.
This is mostly an enhancement of previous fix and is worth backporting
to 1.5.
(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55)
---
src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 620609f..f50efe5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn)
/* If it is in client mode initiate SSL session
in connect state otherwise accept state */
if (objt_server(conn->target)) {
+ int may_retry = 1;
+
+ retry_connect:
/* Alloc a new SSL session ctx */
conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
if (!conn->xprt_ctx) {
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_connect;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_connect;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_connect;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn)
return 0;
}
else if (objt_listener(conn->target)) {
+ int may_retry = 1;
+
+ retry_accept:
/* Alloc a new SSL session ctx */
conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
if (!conn->xprt_ctx) {
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_accept;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_accept;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
@@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn)
if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
+ if (may_retry--) {
+ pool_gc2();
+ goto retry_accept;
+ }
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
--
2.0.4

102
net/haproxy/patches/0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch
View File

@ -1,102 +0,0 @@
From 1f96a87c4e1412ccdc6cfe81bfd6f20a1782886a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
Date: Sat, 15 Nov 2014 22:41:27 +0100
Subject: [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks
and ssl healthchecks
Lasse Birnbaum Jensen reported an issue when agent checks are used at the same
time as standard healthchecks when SSL is enabled on the server side.
The symptom is that agent checks try to communicate in SSL while it should
manage raw data. This happens because the transport layer is shared between all
kind of checks.
To fix the issue, the transport layer is now stored in each check type,
allowing to use SSL healthchecks when required, while an agent check should
always use the raw_sock implementation.
The fix must be backported to 1.5.
(cherry picked from commit 9ce1311ebc834e20addc7a8392c0fc4e4ad687b7)
---
include/types/checks.h | 3 ++-
include/types/server.h | 1 -
src/checks.c | 2 +-
src/server.c | 2 +-
src/ssl_sock.c | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/types/checks.h b/include/types/checks.h
index a50043b..42b7b07 100644
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -125,6 +125,7 @@ enum {
};
struct check {
+ struct xprt_ops *xprt; /* transport layer operations for health checks */
struct connection *conn; /* connection state for health checks */
unsigned short port; /* the port to use for the health checks */
struct buffer *bi, *bo; /* input and output buffers to send/recv check */
@@ -132,7 +133,7 @@ struct check {
struct timeval start; /* last health check start time */
long duration; /* time in ms took to finish last health check */
short status, code; /* check result, check code */
- char desc[HCHK_DESC_LEN]; /* health check descritpion */
+ char desc[HCHK_DESC_LEN]; /* health check description */
int use_ssl; /* use SSL for health checks */
int send_proxy; /* send a PROXY protocol header with checks */
struct tcpcheck_rule *current_step; /* current step when using tcpcheck */
diff --git a/include/types/server.h b/include/types/server.h
index 313f58d..c419b40 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -194,7 +194,6 @@ struct server {
struct { /* configuration used by health-check and agent-check */
struct protocol *proto; /* server address protocol for health checks */
- struct xprt_ops *xprt; /* transport layer operations for health checks */
struct sockaddr_storage addr; /* the address to check, if different from <addr> */
} check_common;
diff --git a/src/checks.c b/src/checks.c
index 5318f35..84bf0e5 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -1413,7 +1413,7 @@ static int connect_chk(struct task *t)
/* prepare a new connection */
conn_init(conn);
- conn_prepare(conn, s->check_common.proto, s->check_common.xprt);
+ conn_prepare(conn, s->check_common.proto, check->xprt);
conn_attach(conn, check, &check_conn_cb);
conn->target = &s->obj_type;
diff --git a/src/server.c b/src/server.c
index fdb63cc..94a31b6 100644
--- a/src/server.c
+++ b/src/server.c
@@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
newsrv->addr = *sk;
newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family);
- newsrv->xprt = newsrv->check_common.xprt = &raw_sock;
+ newsrv->xprt = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock;
if (!newsrv->proto) {
Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n",
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f50efe5..b73d6f9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1812,7 +1812,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
if (srv->use_ssl)
srv->xprt = &ssl_sock;
if (srv->check.use_ssl)
- srv->check_common.xprt = &ssl_sock;
+ srv->check.xprt = &ssl_sock;
srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
if (!srv->ssl_ctx.ctx) {
--
2.0.4

42
net/haproxy/patches/0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch
View File

@ -1,42 +0,0 @@
From cac307c020db7a938b73d4fef27a3b4ad2ecdf6a Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Nov 2014 15:04:29 +0100
Subject: [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance
algorithm in frontends
Tom Limoncelli from Stack Exchange reported a minor bug : the frontend
inherits the LB parameters from the defaults sections. The impact is
that if a "balance" directive uses any L7 parameter in the defaults
sections and the frontend is in TCP mode, a warning is emitted about
their incompatibility. The warning is harmless but a valid, sane config
should never cause any warning to be reported.
This fix should be backported into 1.5 and possibly 1.4.
(cherry picked from commit 743c128580ee29c8f073b4a29771a5ce715f3721)
---
src/cfgparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 392a692..40d20ab 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2003,7 +2003,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
curproxy->no_options = defproxy.no_options;
curproxy->no_options2 = defproxy.no_options2;
curproxy->bind_proc = defproxy.bind_proc;
- curproxy->lbprm.algo = defproxy.lbprm.algo;
curproxy->except_net = defproxy.except_net;
curproxy->except_mask = defproxy.except_mask;
curproxy->except_to = defproxy.except_to;
@@ -2037,6 +2036,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
}
if (curproxy->cap & PR_CAP_BE) {
+ curproxy->lbprm.algo = defproxy.lbprm.algo;
curproxy->fullconn = defproxy.fullconn;
curproxy->conn_retries = defproxy.conn_retries;
curproxy->max_ka_queue = defproxy.max_ka_queue;
--
2.0.4

59
net/haproxy/patches/0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch
View File

@ -1,59 +0,0 @@
From 8ba50128832bb31e95f06fe4cb2bd172f2b945fe Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Nov 2014 18:49:19 +0100
Subject: [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier
Denys Fedoryshchenko reported and diagnosed a nasty bug caused by TCP
captures, introduced in late 1.5-dev by commit 18bf01e ("MEDIUM: tcp:
add a new tcp-request capture directive"). The problem is that we're
using the array of capture pointers initially designed for HTTP usage
only, and that this array was only reset when starting to process an
HTTP request. In a tcp-only frontend, the pointers are not reset, and
if the capture pool is shared, we can very well point to whatever other
memory location, resulting in random crashes when tcp-request content
captures are processed.
The fix simply consists in initializing these pointers when the pools
are prepared.
A workaround for existing versions consists in either disabling TCP
captures in tcp-only frontends, or in forcing the frontends to work in
HTTP mode.
Thanks to Denys for the amount of testing and detailed reports.
This fix must be backported to 1.5.
(cherry picked from commit 9654e57fac86c773091b892f42015ba2ba56be5a)
---
src/frontend.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/frontend.c b/src/frontend.c
index 3f80774..2928047 100644
--- a/src/frontend.c
+++ b/src/frontend.c
@@ -106,11 +106,17 @@ int frontend_accept(struct session *s)
if (global.tune.client_rcvbuf)
setsockopt(cfd, SOL_SOCKET, SO_RCVBUF, &global.tune.client_rcvbuf, sizeof(global.tune.client_rcvbuf));
- if (unlikely(s->fe->nb_req_cap > 0 && (s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL))
- goto out_return; /* no memory */
+ if (unlikely(s->fe->nb_req_cap > 0)) {
+ if ((s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL)
+ goto out_return; /* no memory */
+ memset(s->txn.req.cap, 0, s->fe->nb_req_cap * sizeof(void *));
+ }
- if (unlikely(s->fe->nb_rsp_cap > 0 && (s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL))
- goto out_free_reqcap; /* no memory */
+ if (unlikely(s->fe->nb_rsp_cap > 0)) {
+ if ((s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL)
+ goto out_free_reqcap; /* no memory */
+ memset(s->txn.rsp.cap, 0, s->fe->nb_rsp_cap * sizeof(void *));
+ }
if (s->fe->http_needed) {
/* we have to allocate header indexes only if we know
--
2.0.4