]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e34a0a5)
BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections
authorWilliam Lallemand <wlallemand@haproxy.com>
Wed, 2 Jul 2025 14:05:20 +0000 (16:05 +0200)
committerWilliam Lallemand <wlallemand@haproxy.com>
Wed, 2 Jul 2025 14:14:19 +0000 (16:14 +0200)
TRACE_ENTER is crashing in ssl_sock_io_cb() in case a connection idle is
being stolen. Indeed the function could be called with a NULL context
and dereferencing it will crash.

This patch fixes the issue by initializing ctx only once it is usable,
and moving TRACE_ENTER after the initialization.

This must be backported to 3.2.

src/ssl_sock.c patch | blob | blame | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 76d3c5d488685a7fd155c7cba0cbc3676c737ece..216d2c558db4e83fa324116683a5fd0999ea617c 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5792,13 +5792,11 @@ static int ssl_remove_xprt(struct connection *conn, void *xprt_ctx, void *toremo
 struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
 {
        struct tasklet *tl = (struct tasklet *)t;
-       struct ssl_sock_ctx *ctx = context;
+       struct ssl_sock_ctx *ctx;
        struct connection *conn;
        int conn_in_list;
        int ret = 0;
 
-       TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
-
        if (state & TASK_F_USR1) {
                /* the tasklet was idling on an idle connection, it might have
                 * been stolen, let's be careful!
@@ -5809,16 +5807,20 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
                        tasklet_free(tl);
                        return NULL;
                }
+               ctx = context;
                conn = ctx->conn;
                conn_in_list = conn->flags & CO_FL_LIST_MASK;
                if (conn_in_list)
                        conn_delete_from_tree(conn);
                HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
        } else {
+               ctx = context;
                conn = ctx->conn;
                conn_in_list = 0;
        }
 
+       TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
+
        /* First if we're doing an handshake, try that */
        if (ctx->conn->flags & CO_FL_SSL_WAIT_HS) {
                ssl_sock_handshake(ctx->conn, CO_FL_SSL_WAIT_HS);
Mirror of https://github.com/haproxy/haproxy.git