Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1b7c4dc3fc509a40debbf4ffa6342f56c7046e83
commit1b7c4dc3fc509a40debbf4ffa6342f56c7046e83[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Tue Oct 15 14:04:08 2019 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Thu Oct 17 15:31:48 2019 +0200
treebcc5c03d95ec6bb0d7829d4c1960e3d4b5aab0a5
parent046a2e27886fd52f969c04582aab4931c34a48c3 [diff]
BUG/MINOR: mworker/ssl: close openssl FDs unconditionally

Patch 56996da ("BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload")
fixes a issue where the /dev/random FD was leaked by OpenSSL upon a
reload in master worker mode. Indeed the FD was not flagged with
CLOEXEC.

The fix was checking if ssl_used_frontend or ssl_used_backend were set
to close the FD. This is wrong, indeed the lua init code creates an SSL
server without increasing the backend value, so the deinit is never
done when you don't use SSL in your configuration.

To reproduce the problem you just need to build haproxy with openssl and
lua with an openssl which does not use the getrandom() syscall.  No
openssl nor lua configuration are required for haproxy.

This patch must be backported as far as 1.8.

Fix issue #314.

(cherry picked from commit 5fdb5b36e1e0bef9b8a79c3550bd7a8751bac396)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
1 file changed
tree: bcc5c03d95ec6bb0d7829d4c1960e3d4b5aab0a5
  1. .github/
  2. contrib/
  3. doc/
  4. ebtree/
  5. examples/
  6. include/
  7. reg-tests/
  8. scripts/
  9. src/
  10. tests/
  11. .cirrus.yml
  12. .gitignore
  13. .travis.yml
  14. BRANCHES
  15. CHANGELOG
  16. CONTRIBUTING
  17. INSTALL
  18. LICENSE
  19. MAINTAINERS
  20. Makefile
  21. README
  22. ROADMAP
  23. SUBVERS
  24. VERDATE
  25. VERSION