BUG/MEDIUM: ssl: SSL backend sessions used after free

This bug impacts only the backends. The sessions cached could be used after been
freed because of a missing write lock into ssl_sock_handle_hs_error() when freeing
such objects. This issue could be rarely reproduced and only with QUIC with
difficulties (random CRYPTO data corruptions and instrumented code).

Must be backported as far as 2.6.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 291aa9467e0fa06e72c0cc1c7ecb5b75eeec38be..c1ebf7c353bdaf4295dda637f38e7077dae11421 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6008,8 +6008,9 @@ void ssl_sock_handle_hs_error(struct connection *conn)
                 * another thread */
 
                HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
-               if (s->ssl_ctx.reused_sess[tid].ptr)
-                       ha_free(&s->ssl_ctx.reused_sess[tid].ptr);
+               HA_RWLOCK_WRLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.reused_sess[tid].sess_lock);
+               ha_free(&s->ssl_ctx.reused_sess[tid].ptr);
+               HA_RWLOCK_WRUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.reused_sess[tid].sess_lock);
                HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
        }