login proxy: Hanging outgoing SSL connections caused using already-freed memory

This mainly happened when login proxy closed the connection due to connect
timeout. The ssl-proxy still had a reference and existed for a longer time.
If SSL handshake still succeeded afterwards, it now called
login_proxy_ssl_handshaked(), which accessed the already-freed proxy and
likely crashed.

Fixed the ssl-client proxy code specifically. Alternatively ssl_proxy_free()
could be calling ssl_proxy_destroy() always, but since ssl-server side of
the code seems to have been working fine, I don't want to accidentally
break it.

diff --git a/src/login-common/login-proxy.c b/src/login-common/login-proxy.c
index 0b87a0917136d1ce4230cd441813f251cc2f1bc9..2765a8566cc2ff0c9668baeb33cff458f0fe3b0f 100644 (file)
--- a/src/login-common/login-proxy.c
+++ b/src/login-common/login-proxy.c
@@ -515,8 +515,10 @@ static void login_proxy_free_final(struct login_proxy *proxy)
                o_stream_destroy(&proxy->client_output);
        if (proxy->client_fd != -1)
                net_disconnect(proxy->client_fd);
-       if (proxy->ssl_server_proxy != NULL)
+       if (proxy->ssl_server_proxy != NULL) {
+               ssl_proxy_destroy(proxy->ssl_server_proxy);
                ssl_proxy_free(&proxy->ssl_server_proxy);
+       }
        i_free(proxy->host);
        i_free(proxy);
 }