From 9783e5746d8cb9ba190f9b6adaa59c50df0aeedf Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 9 Oct 2025 18:47:54 +0200 Subject: [PATCH] BUG/MINOR: ssl: always clear the remains of the first hello for the second one William rightfully pointed that despite the ssl capture being a structure, some of its entries are only set for certain contents, so we need to always zero it before using it so as to clear any remains of a previous use, otherwise we could possibly report some entries that were only present in the first hello and not the second one. No need to clear the data though, since any remains will not be referenced by the fields. This must be backported wherever commit 336170007c ("BUG/MEDIUM: ssl: take care of second client hello") is backported. (cherry picked from commit 54f0ab08b8f1a3cb1970586e4b7ac48cf7bdf520) Signed-off-by: Willy Tarreau (cherry picked from commit f86ff7f51271b4b7bccd1f3b8cef0d911e1b5b9e) Signed-off-by: Willy Tarreau (cherry picked from commit 63bb7b723be0926511741fab5169bcfd8dd221e8) Signed-off-by: Willy Tarreau --- src/ssl_sock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index c54d9f8..af33bc5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1719,9 +1719,11 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int */ capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index); if (!capture) - capture = pool_zalloc(pool_head_ssl_capture); + capture = pool_alloc(pool_head_ssl_capture); if (!capture) return; + + memset(capture, 0, sizeof(*capture)); /* Compute the xxh64 of the ciphersuite. */ capture->xxh64 = XXH64(msg, rec_len, 0); -- 1.7.10.4