Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 9bcc01ae25985dd540080f43b160beab1f1a2bc6^! / .
commit9bcc01ae25985dd540080f43b160beab1f1a2bc6[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Thu Nov 13 13:48:58 2014 +0100
committerWilly Tarreau <w@1wt.eu>Fri Nov 14 01:10:53 2014 +0100
tree0316ad3dcf674cecc37e009114762ab9adf0425d
parent90951497008967f10ba8f9927b53c6e6bc138540 [diff]
BUG/MEDIUM: ssl: force a full GC in case of memory shortage

When memory becomes scarce and openssl refuses to allocate a new SSL
session, it is worth freeing the pools and trying again instead of
rejecting all incoming SSL connection. This can happen when some
memory usage limits have been assigned to the haproxy process using
-m or with ulimit -m/-v.

This is mostly an enhancement of previous fix and is worth backporting
to 1.5.
(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 620609f..f50efe5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -2033,9 +2033,16 @@
 	/* If it is in client mode initiate SSL session
 	   in connect state otherwise accept state */
 	if (objt_server(conn->target)) {
+		int may_retry = 1;
+
+	retry_connect:
 		/* Alloc a new SSL session ctx */
 		conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
 		if (!conn->xprt_ctx) {
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_connect;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2044,6 +2051,10 @@
 		if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_connect;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2052,6 +2063,10 @@
 		if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_connect;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2072,9 +2087,16 @@
 		return 0;
 	}
 	else if (objt_listener(conn->target)) {
+		int may_retry = 1;
+
+	retry_accept:
 		/* Alloc a new SSL session ctx */
 		conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
 		if (!conn->xprt_ctx) {
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_accept;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2083,6 +2105,10 @@
 		if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_accept;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2091,6 +2117,10 @@
 		if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_accept;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}