From 51b7c93de3301d93b6a40f2e413d9b9e2c9b96ef Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 26 Feb 2021 21:06:32 +0100 Subject: [PATCH] CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free In ssl_sock_free_srv_ctx() there are some calls to free() which are not followed by a zeroing of the pointers. For now this function is only used during deinit but it could be used at run time in the near future, so better secure this. (cherry picked from commit e709e821734c306ae482e537e3ab4960046e386c) [wt: backported to support next patch; adjusted ctx as SNI not stored there in 2.4 and upper; no ha_free() in 2.3] Signed-off-by: Willy Tarreau --- src/ssl_sock.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b2eb9eb..cc69a2f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4763,25 +4763,34 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) void ssl_sock_free_srv_ctx(struct server *srv) { #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - if (srv->ssl_ctx.alpn_str) + if (srv->ssl_ctx.alpn_str) { free(srv->ssl_ctx.alpn_str); + srv->ssl_ctx.alpn_str = NULL; + } #endif #ifdef OPENSSL_NPN_NEGOTIATED - if (srv->ssl_ctx.npn_str) + if (srv->ssl_ctx.npn_str) { free(srv->ssl_ctx.npn_str); + srv->ssl_ctx.npn_str = NULL; + } #endif if (srv->ssl_ctx.reused_sess) { int i; for (i = 0; i < global.nbthread; i++) { free(srv->ssl_ctx.reused_sess[i].ptr); + srv->ssl_ctx.reused_sess[i].ptr = NULL; free(srv->ssl_ctx.reused_sess[i].sni); + srv->ssl_ctx.reused_sess[i].sni = NULL; } free(srv->ssl_ctx.reused_sess); + srv->ssl_ctx.reused_sess = NULL; } - if (srv->ssl_ctx.ctx) + if (srv->ssl_ctx.ctx) { SSL_CTX_free(srv->ssl_ctx.ctx); + srv->ssl_ctx.ctx = NULL; + } } /* Walks down the two trees in bind_conf and frees all the certs. The pointer may -- 1.7.10.4