From: William Lallemand Date: Tue, 31 Jan 2023 13:12:28 +0000 (+0100) Subject: BUG/MEDIUM: ssl: wrong eviction from the session cache tree X-Git-Tag: v2.8-dev3~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=222e5a260bea5de940db2fd6cf19da2176ac8934;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: wrong eviction from the session cache tree When using WolfSSL, there are some cases were the SSL_CTX_sess_new_cb is called with an existing session ID. These cases are not met with OpenSSL. When the ID is found in the session tree during the insertion, the shared_block len is not set to 0 and is not used. However if later the block is reused, since the len is not set to 0, the release callback will be called an ebmb_delete will be tried on the block, even if it's not in the tree, provoking a crash. The code was buggy from the beginning, but the case never happen with openssl which changes the ID. Must be backported in every maintained branches. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0fea7dd099..51d2d70464 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4211,6 +4211,7 @@ static int sh_ssl_sess_store(unsigned char *s_id, unsigned char *data, int data_ if (oldsh_ssl_sess != sh_ssl_sess) { /* NOTE: Row couldn't be in use because we lock read & write function */ /* release the reserved row */ + first->len = 0; /* the len must be liberated in order not to call the release callback on it */ shctx_row_dec_hot(ssl_shctx, first); /* replace the previous session already in the tree */ sh_ssl_sess = oldsh_ssl_sess;