BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer.
As the server early data buffer is allocated in the middle of the loop
used to allocate the SSL session without being freed before retrying,
this leads to a memory leak.
To fix this we move the section of code responsible of this early data buffer
alloction after the one reponsible of allocating the SSL session.
Must be backported to 2.1 and 2.0.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cbf51b7..e42f071 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5999,18 +5999,6 @@
conn->err_code = CO_ER_SSL_NO_MEM;
goto err;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
- if (__objt_listener(conn->target)->bind_conf->ssl_conf.early_data) {
- b_alloc(&ctx->early_buf);
- SSL_set_max_early_data(ctx->ssl,
- /* Only allow early data if we managed to allocate
- * a buffer.
- */
- (!b_is_null(&ctx->early_buf)) ?
- global.tune.bufsize - global.tune.maxrewrite : 0);
- }
-#endif
-
ctx->bio = BIO_new(ha_meth);
if (!ctx->bio) {
if (may_retry--) {
@@ -6035,6 +6023,18 @@
goto err;
}
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ if (__objt_listener(conn->target)->bind_conf->ssl_conf.early_data) {
+ b_alloc(&ctx->early_buf);
+ SSL_set_max_early_data(ctx->ssl,
+ /* Only allow early data if we managed to allocate
+ * a buffer.
+ */
+ (!b_is_null(&ctx->early_buf)) ?
+ global.tune.bufsize - global.tune.maxrewrite : 0);
+ }
+#endif
+
SSL_set_accept_state(ctx->ssl);
/* leave init state and start handshake */