From: Olivier Houchard <ohouchard@haproxy.com>
Date: Mon, 15 Jun 2026 18:29:23 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: Don't free the early data buffer too early
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: Don't free the early data buffer too early

When 0RTT is enabled, a temporary buffer for early data is used. We read
from it first when the mux asks for data, and then we free it when it is
empty, but that is not right, because maybe we have more early data to
receive, and then we no longer have any buffer to store them, and that
will eventually end up with the connection closed in error.
To fix that, as long as we haven't received all the early data yet, just
reset the buffer, instead of freeing it.
This should fix github issue #3416
This should be backported up to 2.8.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 348973153..5e5329a22 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7092,8 +7092,12 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
 		memcpy(b_tail(buf), b_head(&ctx->early_buf), try);
 		b_add(buf, try);
 		b_del(&ctx->early_buf, try);
-		if (b_data(&ctx->early_buf) == 0)
-			b_free(&ctx->early_buf);
+		if (b_data(&ctx->early_buf) == 0) {
+			if (!(ctx->conn->flags & CO_FL_EARLY_SSL_HS))
+				b_free(&ctx->early_buf);
+			else
+				b_reset(&ctx->early_buf);
+		}
 		TRACE_STATE("read early data", SSL_EV_CONN_RECV|SSL_EV_CONN_RECV_EARLY, conn, &try);
 		return try;
 	}