mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-03-14 03:22:06 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: SSL backend sessions used after free

Browse Source 
This bug impacts only the backends. The sessions cached could be used after been
freed because of a missing write lock into ssl_sock_handle_hs_error() when freeing
such objects. This issue could be rarely reproduced and only with QUIC with
difficulties (random CRYPTO data corruptions and instrumented code).

Must be backported as far as 2.6.
This commit is contained in:
Frederic Lecaille 2026-02-13 13:30:24 +01:00
parent dfe1de4335
commit 3e6d030ce2
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ssl_sock.c
View File

@ -6008,8 +6008,9 @@ void ssl_sock_handle_hs_error(struct connection *conn)
* another thread */
HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
if (s->ssl_ctx.reused_sess[tid].ptr)
ha_free(&s->ssl_ctx.reused_sess[tid].ptr);
HA_RWLOCK_WRLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.reused_sess[tid].sess_lock);
ha_free(&s->ssl_ctx.reused_sess[tid].ptr);
HA_RWLOCK_WRUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.reused_sess[tid].sess_lock);
HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
}