BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer.
As the server early data buffer is allocated in the middle of the loop
used to allocate the SSL session without being freed before retrying,
this leads to a memory leak.
To fix this we move the section of code responsible of this early data buffer
alloction after the one reponsible of allocating the SSL session.
Must be backported to 2.1 and 2.0.
(cherry picked from commit 3139c1b198bbcc14c6940f214234afd004110387)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 58aa87dd3ef5bf6ba7fb2bd5c432dc413dfcdef0)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 32e478e..63178b8 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5314,18 +5314,6 @@
conn->err_code = CO_ER_SSL_NO_MEM;
goto err;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
- if (__objt_listener(conn->target)->bind_conf->ssl_conf.early_data) {
- b_alloc(&ctx->early_buf);
- SSL_set_max_early_data(ctx->ssl,
- /* Only allow early data if we managed to allocate
- * a buffer.
- */
- (!b_is_null(&ctx->early_buf)) ?
- global.tune.bufsize - global.tune.maxrewrite : 0);
- }
-#endif
-
ctx->bio = BIO_new(ha_meth);
if (!ctx->bio) {
SSL_free(ctx->ssl);
@@ -5352,6 +5340,18 @@
goto err;
}
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ if (__objt_listener(conn->target)->bind_conf->ssl_conf.early_data) {
+ b_alloc(&ctx->early_buf);
+ SSL_set_max_early_data(ctx->ssl,
+ /* Only allow early data if we managed to allocate
+ * a buffer.
+ */
+ (!b_is_null(&ctx->early_buf)) ?
+ global.tune.bufsize - global.tune.maxrewrite : 0);
+ }
+#endif
+
SSL_set_accept_state(ctx->ssl);
/* leave init state and start handshake */