BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL

When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the
connection must be shut down for reading. Else, the connection loops infinitly,
consuming all the CPU.

The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always
treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in
1.8 too.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 93aec33c464752f572acf2d625e164af3db5cc04..1cd1547c7ae20cd23cbac8e59ef4c6b923c8e88d 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5449,10 +5449,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
                                break;
                        } else if (ret == SSL_ERROR_ZERO_RETURN)
                                goto read0;
-                       /* For SSL_ERROR_SYSCALL, make sure the error is
-                        * unrecoverable before flagging the connection as
-                        * in error.
-                        */
+                       /* For SSL_ERROR_SYSCALL, make sure to clear the error
+                        * stack before shutting down the connection for
+                        * reading. */
                        if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
                                goto clear_ssl_error;
                        /* otherwise it's a real error */
@@ -5465,16 +5464,19 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
        conn_cond_update_sock_polling(conn);
        return done;
 
+ clear_ssl_error:
+       /* Clear openssl global errors stack */
+       ssl_sock_dump_errors(conn);
+       ERR_clear_error();
  read0:
        conn_sock_read0(conn);
        goto leave;
+
  out_error:
        conn->flags |= CO_FL_ERROR;
-clear_ssl_error:
        /* Clear openssl global errors stack */
        ssl_sock_dump_errors(conn);
        ERR_clear_error();
-
        goto leave;
 }