BUG/MINOR: ssl/cli: memory leak in 'set ssl cert'

When deleting the previous SNI entries with 'set ssl cert', the old
SSL_CTX' were not free'd, which probably prevent the completion of the
free of the X509 in the old ckch_store, because of the refcounts in the
SSL library.

This bug was introduced by 150bfa8 ("MEDIUM: cli/ssl: handle the
creation of SSL_CTX in an IO handler").

Must be backported to 2.1.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f58a1c0d5b333c09323398dc8a4e67cf221a80b0..0ade7c2261db6238eb61e51b8b5e841bd9945fd9 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -12103,6 +12103,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 
                                        HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
                                        list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {
+                                               if (sc0->order == 0) /* we only free if it's the first inserted */
+                                                       SSL_CTX_free(sc0->ctx);
                                                ebmb_delete(&sc0->name);
                                                LIST_DEL(&sc0->by_ckch_inst);
                                                free(sc0);