BUG/MEDIUM: Cur/CumSslConns counters not threadsafe. CurSslConns inc/dec operations are not threadsafe. The unsigned CurSslConns counter can wrap to a negative value. So we could notice connection rejects because of MaxSslConns limit artificially exceeded. CumSslConns inc operation are also not threadsafe so we could miss some connections and show inconsistenties values compared to CumConns. This fix should be backported to v1.8.

commit: 7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b [log] [tgz]
author: Emeric Brun <ebrun@haproxy.com> Wed Oct 10 14:51:02 2018 +0200
committer: Willy Tarreau <w@1wt.eu> Wed Oct 10 18:05:33 2018 +0200
tree: 3cfbb621ce1659e7adb7483b207e0c5ec9d8c2cf
parent: 0b25d5e99fa0442302eae1b9bd43e28cda5516a1 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 07e039f..d4827e5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -495,7 +495,7 @@
 
 	/* Now we can safely call SSL_free, no more pending job in engines */
 	SSL_free(ssl);
-	sslconns--;
+	HA_ATOMIC_SUB(&sslconns, 1);
 	HA_ATOMIC_SUB(&jobs, 1);
 }
 /*
@@ -5032,8 +5032,8 @@
 		/* leave init state and start handshake */
 		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
 
-		sslconns++;
-		totalsslconns++;
+		HA_ATOMIC_ADD(&sslconns, 1);
+		HA_ATOMIC_ADD(&totalsslconns, 1);
 		return 0;
 	}
 	else if (objt_listener(conn->target)) {
@@ -5083,8 +5083,8 @@
 		conn->flags |= CO_FL_EARLY_SSL_HS;
 #endif
 
-		sslconns++;
-		totalsslconns++;
+		HA_ATOMIC_ADD(&sslconns, 1);
+		HA_ATOMIC_ADD(&totalsslconns, 1);
 		return 0;
 	}
 	/* don't know how to handle such a target */
@@ -5728,7 +5728,7 @@
 #endif
 		SSL_free(conn->xprt_ctx);
 		conn->xprt_ctx = NULL;
-		sslconns--;
+		HA_ATOMIC_SUB(&sslconns, 1);
 	}
 }
commit	7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b	[log] [tgz]
author	Emeric Brun <ebrun@haproxy.com>	Wed Oct 10 14:51:02 2018 +0200
committer	Willy Tarreau <w@1wt.eu>	Wed Oct 10 18:05:33 2018 +0200
tree	3cfbb621ce1659e7adb7483b207e0c5ec9d8c2cf
parent	0b25d5e99fa0442302eae1b9bd43e28cda5516a1 [diff]