BUG/MEDIUM: ssl: Don't free the early data buffer too early

When 0RTT is enabled, a temporary buffer for early data is used. We read
from it first when the mux asks for data, and then we free it when it is
empty, but that is not right, because maybe we have more early data to
receive, and then we no longer have any buffer to store them, and that
will eventually end up with the connection closed in error.
To fix that, as long as we haven't received all the early data yet, just
reset the buffer, instead of freeing it.
This should fix github issue #3416
This should be backported up to 2.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3489731534a7d5097eeab5323aa09b743eb2a928..5e5329a22474b9b2ab55f35a79fefd0f46539aee 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7092,8 +7092,12 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
                memcpy(b_tail(buf), b_head(&ctx->early_buf), try);
                b_add(buf, try);
                b_del(&ctx->early_buf, try);
-               if (b_data(&ctx->early_buf) == 0)
-                       b_free(&ctx->early_buf);
+               if (b_data(&ctx->early_buf) == 0) {
+                       if (!(ctx->conn->flags & CO_FL_EARLY_SSL_HS))
+                               b_free(&ctx->early_buf);
+                       else
+                               b_reset(&ctx->early_buf);
+               }
                TRACE_STATE("read early data", SSL_EV_CONN_RECV|SSL_EV_CONN_RECV_EARLY, conn, &try);
                return try;
        }