From 0c875c7751e3672f20225ab3b20fdb0322a8e4ad Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Tue, 30 Oct 2018 13:38:41 +0100
Subject: [PATCH] asyncCloseClientOnOutputBufferLimitReached(): don't free fake
 clients.

Fake clients are used in special situations and are not linked to the
normal clients list, freeing them will always result in Redis crashing
in one way or the other.

It's not common to send replies to fake clients, but we have one usage
in the modules API. When a client is blocked, we associate to the
blocked client object (that is safe to manipulate in a thread), a fake
client that accumulates replies. So because of this bug there was
the problem described in issue #5443.

The fix was verified to work with the provided example module. To write
a regression is very hard and unlikely to be triggered in the future.
---
 src/networking.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/networking.c b/src/networking.c
index e255e64d..7d387dab 100644
--- a/src/networking.c
+++ b/src/networking.c
@@ -2109,6 +2109,7 @@ int checkClientOutputBufferLimits(client *c) {
  * called from contexts where the client can't be freed safely, i.e. from the
  * lower level functions pushing data inside the client output buffers. */
 void asyncCloseClientOnOutputBufferLimitReached(client *c) {
+    if (c->fd == -1) return; /* It is unsafe to free fake clients. */
     serverAssert(c->reply_bytes < SIZE_MAX-(1024*64));
     if (c->reply_bytes == 0 || c->flags & CLIENT_CLOSE_ASAP) return;
     if (checkClientOutputBufferLimits(c)) {