From 94ff03af84ee0c4a2b6cfb92332fcafbcdc48765 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 22 Dec 2016 17:57:46 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: avoid double free when releasing bind_confs ssl_sock functions don't mark pointers as NULL after freeing them. So if a "bind" line specifies some SSL settings without the "ssl" keyword, they will get freed at the end of check_config_validity(), then freed a second time on exit. Simply mark the pointers as NULL to fix this. This fix needs to be backported to 1.7 and 1.6. --- src/cfgparse.c | 7 +++++++ src/ssl_sock.c | 2 ++ 2 files changed, 9 insertions(+) diff --git a/src/cfgparse.c b/src/cfgparse.c index e9876f859..1c9b430c5 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -8850,6 +8850,13 @@ out_uri_auth_compat: LIST_DEL(&bind_conf->keys_ref->list); free(bind_conf->keys_ref); } + bind_conf->keys_ref = NULL; + bind_conf->crl_file = NULL; + bind_conf->ecdhe = NULL; + bind_conf->ciphers = NULL; + bind_conf->ca_sign_pass = NULL; + bind_conf->ca_sign_file = NULL; + bind_conf->ca_file = NULL; #endif /* USE_OPENSSL */ } diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b681d639e..6739fbc9f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3334,6 +3334,8 @@ ssl_sock_free_ca(struct bind_conf *bind_conf) EVP_PKEY_free(bind_conf->ca_sign_pkey); if (bind_conf->ca_sign_cert) X509_free(bind_conf->ca_sign_cert); + bind_conf->ca_sign_pkey = NULL; + bind_conf->ca_sign_cert = NULL; } /*