From 24be710609fe24781b489339273beec29114a3b8 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 8 Apr 2020 15:16:51 +0200 Subject: [PATCH] BUG/MINOR: ssl/cli: memory leak in 'set ssl cert' When deleting the previous SNI entries with 'set ssl cert', the old SSL_CTX' were not free'd, which probably prevent the completion of the free of the X509 in the old ckch_store, because of the refcounts in the SSL library. This bug was introduced by 150bfa8 ("MEDIUM: cli/ssl: handle the creation of SSL_CTX in an IO handler"). Must be backported to 2.1. --- src/ssl_sock.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f58a1c0d5..0ade7c226 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -12103,6 +12103,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock); list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) { + if (sc0->order == 0) /* we only free if it's the first inserted */ + SSL_CTX_free(sc0->ctx); ebmb_delete(&sc0->name); LIST_DEL(&sc0->by_ckch_inst); free(sc0);