From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 13 May 2019 12:31:34 +0000 (+0200)
Subject: BUG/MAJOR: ssl: segfault upon an heartbeat request
X-Git-Tag: v2.0-dev3~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e1770b1516febc8d18c2dad3816e5b344f8d2df;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: ssl: segfault upon an heartbeat request

7b5fd1e ("MEDIUM: connections: Move some fields from struct connection
to ssl_sock_ctx.") introduced a bug in the heartbleed mitigation code.

Indeed the code used conn->ctx instead of conn->xprt_ctx for the ssl
context, resulting in a null dereference.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1a579f5999..651afa3a7a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1735,7 +1735,7 @@ void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf
 	   for a received record) */
 	if ((content_type == TLS1_RT_HEARTBEAT) && (write_p == 0)) {
 		struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
-		struct ssl_sock_ctx *ctx = conn->ctx;
+		struct ssl_sock_ctx *ctx = conn->xprt_ctx;
 		const unsigned char *p = buf;
 		unsigned int payload;