From 54f0ab08b8f1a3cb1970586e4b7ac48cf7bdf520 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 9 Oct 2025 18:47:54 +0200 Subject: [PATCH] BUG/MINOR: ssl: always clear the remains of the first hello for the second one William rightfully pointed that despite the ssl capture being a structure, some of its entries are only set for certain contents, so we need to always zero it before using it so as to clear any remains of a previous use, otherwise we could possibly report some entries that were only present in the first hello and not the second one. No need to clear the data though, since any remains will not be referenced by the fields. This must be backported wherever commit 336170007c ("BUG/MEDIUM: ssl: take care of second client hello") is backported. --- src/ssl_sock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 16ca0b755..38a80b9ee 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1948,9 +1948,11 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int */ capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index); if (!capture) - capture = pool_zalloc(pool_head_ssl_capture); + capture = pool_alloc(pool_head_ssl_capture); if (!capture) return; + + memset(capture, 0, sizeof(*capture)); /* Compute the xxh64 of the ciphersuite. */ capture->xxh64 = XXH64(msg, rec_len, 0);