RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-26 07:22:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG: ssl: send payload gets corrupted if tune.ssl.maxrecord is used

Browse Source 
We were using "tune.ssl.maxrecord 2000" and discovered an interesting
problem: SSL data sent from the server to the client showed occasional
corruption of the payload data.

The root cause was:
When ssl_max_record is smaller than the requested send amount
the ring buffer wrapping wasn't properly adjusting the
number of bytes to send.

I solved this by selecting the initial size based on the number
of output bytes that can be sent without splitting _before_ checking
against ssl_max_record.
This commit is contained in:
Kevin Hester 2013-05-30 15:12:41 -07:00 committed by Willy Tarreau
parent ba2ffd18b5
commit cad8234b00
1 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl_sock.c
View File

@ -1318,15 +1318,11 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
* in which case we accept to do it once again. * in which case we accept to do it once again.
*/ */
while (buf->o) { while (buf->o) {
try = buf->o; try = bo_contig_data(buf);
if (global.tune.ssl_max_record && try > global.tune.ssl_max_record) if (global.tune.ssl_max_record && try > global.tune.ssl_max_record)
try = global.tune.ssl_max_record; try = global.tune.ssl_max_record;
/* outgoing data may wrap at the end */
if (buf->data + try > buf->p)
try = buf->data + try - buf->p;
ret = SSL_write(conn->xprt_ctx, bo_ptr(buf), try); ret = SSL_write(conn->xprt_ctx, bo_ptr(buf), try);
if (conn->flags & CO_FL_ERROR) { if (conn->flags & CO_FL_ERROR) {
/* CO_FL_ERROR may be set by ssl_sock_infocbk */ /* CO_FL_ERROR may be set by ssl_sock_infocbk */