commit 94ff03af84ee0c4a2b6cfb92332fcafbcdc48765
author Willy Tarreau <w@1wt.eu> Thu Dec 22 17:57:46 2016 +0100
committer Willy Tarreau <w@1wt.eu> Thu Dec 22 22:07:36 2016 +0100
tree cd7a91e496a2f94f5850ff2e1e686f5f87d5a267
parent 30fd4bd8446dd7104b7d1cae9e762c7d1405171a

BUG/MEDIUM: ssl: avoid double free when releasing bind_confs

ssl_sock functions don't mark pointers as NULL after freeing them. So
if a "bind" line specifies some SSL settings without the "ssl" keyword,
they will get freed at the end of check_config_validity(), then freed
a second time on exit. Simply mark the pointers as NULL to fix this.
This fix needs to be backported to 1.7 and 1.6.

src/cfgparse.c

diff --git a/src/cfgparse.c b/src/cfgparse.c
index e9876f8..1c9b430 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8850,6 +8850,13 @@
 				LIST_DEL(&bind_conf->keys_ref->list);
 				free(bind_conf->keys_ref);
 			}
+			bind_conf->keys_ref = NULL;
+			bind_conf->crl_file = NULL;
+			bind_conf->ecdhe = NULL;
+			bind_conf->ciphers = NULL;
+			bind_conf->ca_sign_pass = NULL;
+			bind_conf->ca_sign_file = NULL;
+			bind_conf->ca_file = NULL;
 #endif /* USE_OPENSSL */
 		}
 

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b681d63..6739fbc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3334,6 +3334,8 @@
 		EVP_PKEY_free(bind_conf->ca_sign_pkey);
 	if (bind_conf->ca_sign_cert)
 		X509_free(bind_conf->ca_sign_cert);
+	bind_conf->ca_sign_pkey = NULL;
+	bind_conf->ca_sign_cert = NULL;
 }
 
 /*