From 83e3cbc262a6992246dcc53e3e2e565842c85aa2 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 22 Oct 2025 17:56:45 +0200 Subject: [PATCH] BUG/MINOR: ssl: returns when SSL_CTX_new failed during init In ssl_sock_initial_ctx(), returns when SSL_CTX_new() failed instead of trying to apply anything on the ctx. This may avoid crashing when there's not enough memory anymore during configuration parsing. Could be backported in every haproxy versions --- src/ssl_sock.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 437b28cc4..14b817980 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3942,6 +3942,13 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) const int default_min_ver = CONF_TLSV12; ctx = SSL_CTX_new(SSLv23_server_method()); + if (!ctx) { + cfgerr += 1; + ha_alert("Proxy '%s': failed to create an SSL context for bind '%s' at [%s:%d].\n", + bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line); + goto end; + } + bind_conf->initial_ctx = ctx; if (global_ssl.security_level > -1) @@ -4067,6 +4074,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) # endif SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf); #endif /* ! SSL_CTRL_SET_TLSEXT_HOSTNAME */ +end: return cfgerr; } -- 2.47.3