From: William Lallemand Date: Wed, 2 Jul 2025 14:05:20 +0000 (+0200) Subject: BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections X-Git-Tag: v3.3-dev3~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=720efd0409bd9d0a416af9df8786937ebff488ae;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections TRACE_ENTER is crashing in ssl_sock_io_cb() in case a connection idle is being stolen. Indeed the function could be called with a NULL context and dereferencing it will crash. This patch fixes the issue by initializing ctx only once it is usable, and moving TRACE_ENTER after the initialization. This must be backported to 3.2. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 76d3c5d48..216d2c558 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5792,13 +5792,11 @@ static int ssl_remove_xprt(struct connection *conn, void *xprt_ctx, void *toremo struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state) { struct tasklet *tl = (struct tasklet *)t; - struct ssl_sock_ctx *ctx = context; + struct ssl_sock_ctx *ctx; struct connection *conn; int conn_in_list; int ret = 0; - TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn); - if (state & TASK_F_USR1) { /* the tasklet was idling on an idle connection, it might have * been stolen, let's be careful! @@ -5809,16 +5807,20 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state) tasklet_free(tl); return NULL; } + ctx = context; conn = ctx->conn; conn_in_list = conn->flags & CO_FL_LIST_MASK; if (conn_in_list) conn_delete_from_tree(conn); HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock); } else { + ctx = context; conn = ctx->conn; conn_in_list = 0; } + TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn); + /* First if we're doing an handshake, try that */ if (ctx->conn->flags & CO_FL_SSL_WAIT_HS) { ssl_sock_handshake(ctx->conn, CO_FL_SSL_WAIT_HS);