From ea080c1778fa1bd3b7da0fb10edc7220b50e8612 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 24 Oct 2025 12:32:41 +0300 Subject: [PATCH] lib-ssl-iostream: Fix potential busy loop when handshake has failed If the stream is already destroyed, handshaking should return -1 as error instead of "more data needed". This fixes at least a potential busy loop when login-proxy tries to connect to a remote server with mismatching SSL certificate name. It was timing sensitive though, only seeming to happen when running with valgrind. This code has been there since 9d0640616c30701bed286034840facfb386db90e --- src/lib-ssl-iostream/iostream-openssl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index c0da08388e..3794354ec7 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -594,8 +594,10 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io) return openssl_iostream_bio_sync(ssl_io, OPENSSL_IOSTREAM_SYNC_TYPE_HANDSHAKE); /* we are being destroyed, so do not do any more handshaking */ - if (ssl_io->destroyed) - return 0; + if (ssl_io->destroyed) { + errno = EPIPE; + return -1; + } if (ssl_io->ctx->client_ctx) { while ((ret = SSL_connect(ssl_io->ssl)) <= 0) { -- 2.47.3