BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer.

​
As the server early data buffer is allocated in the middle of the loop
used to allocate the SSL session without being freed before retrying,
this leads to a memory leak.
​
To fix this we move the section of code responsible of this early data buffer
alloction after the one reponsible of allocating the SSL session.
​
Must be backported to 2.1 and 2.0.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cbf51b796cb101e4f0b752279620c9b75d7a4584..e42f071250f9c81acc836f4666a177d76d3b0aaa 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5999,18 +5999,6 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
                        conn->err_code = CO_ER_SSL_NO_MEM;
                        goto err;
                }
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
-               if (__objt_listener(conn->target)->bind_conf->ssl_conf.early_data) {
-                       b_alloc(&ctx->early_buf);
-                       SSL_set_max_early_data(ctx->ssl,
-                           /* Only allow early data if we managed to allocate
-                            * a buffer.
-                            */
-                           (!b_is_null(&ctx->early_buf)) ?
-                           global.tune.bufsize - global.tune.maxrewrite : 0);
-               }
-#endif
-
                ctx->bio = BIO_new(ha_meth);
                if (!ctx->bio) {
                        if (may_retry--) {
@@ -6035,6 +6023,18 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
                        goto err;
                }
 
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+               if (__objt_listener(conn->target)->bind_conf->ssl_conf.early_data) {
+                       b_alloc(&ctx->early_buf);
+                       SSL_set_max_early_data(ctx->ssl,
+                           /* Only allow early data if we managed to allocate
+                            * a buffer.
+                            */
+                           (!b_is_null(&ctx->early_buf)) ?
+                           global.tune.bufsize - global.tune.maxrewrite : 0);
+               }
+#endif
+
                SSL_set_accept_state(ctx->ssl);
 
                /* leave init state and start handshake */