BUG/MEDIUM: ssl: wrong eviction from the session cache tree
When using WolfSSL, there are some cases were the SSL_CTX_sess_new_cb is
called with an existing session ID. These cases are not met with
OpenSSL.
When the ID is found in the session tree during the insertion, the
shared_block len is not set to 0 and is not used. However if later the
block is reused, since the len is not set to 0, the release callback
will be called an ebmb_delete will be tried on the block, even if it's
not in the tree, provoking a crash.
The code was buggy from the beginning, but the case never happen with
openssl which changes the ID.
Must be backported in every maintained branches.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0fea7dd..51d2d70 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4211,6 +4211,7 @@
if (oldsh_ssl_sess != sh_ssl_sess) {
/* NOTE: Row couldn't be in use because we lock read & write function */
/* release the reserved row */
+ first->len = 0; /* the len must be liberated in order not to call the release callback on it */
shctx_row_dec_hot(ssl_shctx, first);
/* replace the previous session already in the tree */
sh_ssl_sess = oldsh_ssl_sess;