From: Willy Tarreau Date: Thu, 9 Oct 2025 16:47:54 +0000 (+0200) Subject: BUG/MINOR: ssl: always clear the remains of the first hello for the second one X-Git-Tag: v3.3-dev10~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=54f0ab08b8f1a3cb1970586e4b7ac48cf7bdf520;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: always clear the remains of the first hello for the second one William rightfully pointed that despite the ssl capture being a structure, some of its entries are only set for certain contents, so we need to always zero it before using it so as to clear any remains of a previous use, otherwise we could possibly report some entries that were only present in the first hello and not the second one. No need to clear the data though, since any remains will not be referenced by the fields. This must be backported wherever commit 336170007c ("BUG/MEDIUM: ssl: take care of second client hello") is backported. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 16ca0b755..38a80b9ee 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1948,9 +1948,11 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int */ capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index); if (!capture) - capture = pool_zalloc(pool_head_ssl_capture); + capture = pool_alloc(pool_head_ssl_capture); if (!capture) return; + + memset(capture, 0, sizeof(*capture)); /* Compute the xxh64 of the ciphersuite. */ capture->xxh64 = XXH64(msg, rec_len, 0);