mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections

Browse Source 
TRACE_ENTER is crashing in ssl_sock_io_cb() in case a connection idle is
being stolen. Indeed the function could be called with a NULL context
and dereferencing it will crash.

This patch fixes the issue by initializing ctx only once it is usable,
and moving TRACE_ENTER after the initialization.

This must be backported to 3.2.
This commit is contained in:
William Lallemand 2025-07-02 16:05:20 +02:00
parent e34a0a50ae
commit 720efd0409
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ssl_sock.c
View File

@ -5792,13 +5792,11 @@ static int ssl_remove_xprt(struct connection *conn, void *xprt_ctx, void *toremo
struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state) struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
{ {
struct tasklet *tl = (struct tasklet *)t; struct tasklet *tl = (struct tasklet *)t;
struct ssl_sock_ctx *ctx = context; struct ssl_sock_ctx *ctx;
struct connection *conn; struct connection *conn;
int conn_in_list; int conn_in_list;
int ret = 0; int ret = 0;
TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
if (state & TASK_F_USR1) { if (state & TASK_F_USR1) {
/* the tasklet was idling on an idle connection, it might have /* the tasklet was idling on an idle connection, it might have
* been stolen, let's be careful! * been stolen, let's be careful!
@ -5809,16 +5807,20 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
tasklet_free(tl); tasklet_free(tl);
return NULL; return NULL;
} }
ctx = context;
conn = ctx->conn; conn = ctx->conn;
conn_in_list = conn->flags & CO_FL_LIST_MASK; conn_in_list = conn->flags & CO_FL_LIST_MASK;
if (conn_in_list) if (conn_in_list)
conn_delete_from_tree(conn); conn_delete_from_tree(conn);
HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock); HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
} else { } else {
ctx = context;
conn = ctx->conn; conn = ctx->conn;
conn_in_list = 0; conn_in_list = 0;
} }
TRACE_ENTER(SSL_EV_CONN_IO_CB, ctx->conn);
/* First if we're doing an handshake, try that */ /* First if we're doing an handshake, try that */
if (ctx->conn->flags & CO_FL_SSL_WAIT_HS) { if (ctx->conn->flags & CO_FL_SSL_WAIT_HS) {
ssl_sock_handshake(ctx->conn, CO_FL_SSL_WAIT_HS); ssl_sock_handshake(ctx->conn, CO_FL_SSL_WAIT_HS);