BUG/MEDIUM: ssl: wrong eviction from the session cache tree

When using WolfSSL, there are some cases were the SSL_CTX_sess_new_cb is
called with an existing session ID. These cases are not met with
OpenSSL.

When the ID is found in the session tree during the insertion, the
shared_block len is not set to 0 and is not used. However if later the
block is reused, since the len is not set to 0, the release callback
will be called an ebmb_delete will be tried on the block, even if it's
not in the tree, provoking a crash.

The code was buggy from the beginning, but the case never happen with
openssl which changes the ID.

Must be backported in every maintained branches.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0fea7dd09932fa973b5c45fac957717a1fd224ae..51d2d70464c0fca812d074c1d96088b0c54fc9f4 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4211,6 +4211,7 @@ static int sh_ssl_sess_store(unsigned char *s_id, unsigned char *data, int data_
        if (oldsh_ssl_sess != sh_ssl_sess) {
                 /* NOTE: Row couldn't be in use because we lock read & write function */
                /* release the reserved row */
+               first->len = 0; /* the len must be liberated in order not to call the release callback on it */
                shctx_row_dec_hot(ssl_shctx, first);
                /* replace the previous session already in the tree */
                sh_ssl_sess = oldsh_ssl_sess;