From: William Lallemand Date: Tue, 23 Jun 2020 09:02:17 +0000 (+0200) Subject: BUG/MEDIUM: ssl: fix ssl_bind_conf double free X-Git-Tag: v2.2-dev11~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7df5c2d;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: fix ssl_bind_conf double free Since commit 2954c47 ("MEDIUM: ssl: allow crt-list caching"), the ssl_bind_conf is allocated directly in the crt-list, and the crt-list can be shared between several bind_conf. The deinit() code wasn't changed to handle that. This patch fixes the issue by removing the free of the ssl_conf in ssl_sock_free_all_ctx(). It should be completed with a patch that free the ssl_conf and the crt-list. Fix issue #700. --- diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index d54469c9ea..cc7a7aad67 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -134,7 +134,7 @@ struct sni_ctx { unsigned int neg:1; /* reject if match */ unsigned int wild:1; /* wildcard sni */ struct pkey_info kinfo; /* pkey info */ - struct ssl_bind_conf *conf; /* ssl "bind" conf for the certificate */ + struct ssl_bind_conf *conf; /* ptr to a crtlist's ssl_conf, must not be free from here */ struct list by_ckch_inst; /* chained in ckch_inst's list of sni_ctx */ struct ckch_inst *ckch_inst; /* instance used to create this sni_ctx */ struct ebmb_node name; /* node holding the servername value */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 322613c375..715ae9d672 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4763,11 +4763,6 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf) back = ebmb_next(node); ebmb_delete(node); SSL_CTX_free(sni->ctx); - if (!sni->order) { /* only free the CTX conf on its first occurrence */ - ssl_sock_free_ssl_conf(sni->conf); - free(sni->conf); - sni->conf = NULL; - } free(sni); node = back; }