BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections

TRACE_ENTER is crashing in ssl_sock_io_cb() in case a connection idle is being stolen. Indeed the function could be called with a NULL context and dereferencing it will crash. This patch fixes the issue by initializing ctx only once it is usable, and moving TRACE_ENTER after the initialization. This must be backported to 3.2.
2025-08-06 15:17:01 +02:00 · 2025-07-02 16:05:20 +02:00 · 2025-07-02 16:05:20 +02:00 · 720efd0409
commit 720efd0409
parent e34a0a50ae
1 changed files with 5 additions and 3 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -5792,13 +5792,11 @@ static int ssl_remove_xprt(struct connection *conn, void *xprt_ctx, void *toremo
 struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
 {
 	struct tasklet *tl = (struct tasklet *)t;
-	struct ssl_sock_ctx *ctx = context;
+	struct ssl_sock_ctx *ctx;
 	struct connection *conn;
 	int conn_in_list;
 	int ret = 0;

-	TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
-
 	if (state & TASK_F_USR1) {
 		/* the tasklet was idling on an idle connection, it might have
 		 * been stolen, let's be careful!
@ -5809,16 +5807,20 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
 			tasklet_free(tl);
 			return NULL;
 		}
+		ctx = context;
 		conn = ctx->conn;
 		conn_in_list = conn->flags & CO_FL_LIST_MASK;
 		if (conn_in_list)
 			conn_delete_from_tree(conn);
 		HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
 	} else {
+		ctx = context;
 		conn = ctx->conn;
 		conn_in_list = 0;
 	}

+	TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
+
 	/* First if we're doing an handshake, try that */
 	if (ctx->conn->flags & CO_FL_SSL_WAIT_HS) {
 		ssl_sock_handshake(ctx->conn, CO_FL_SSL_WAIT_HS);