Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / c3cd35f96cbb6739dace9906448c5a68f554d96e^! / .
commitc3cd35f96cbb6739dace9906448c5a68f554d96e[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Tue Nov 28 11:04:43 2017 +0100
committerWilly Tarreau <w@1wt.eu>Tue Nov 28 12:04:16 2017 +0100
tree90640d64d9ff46820c6663d7b5d6f050d559ed84
parentb61028549e51b58abdafcf652ee2871767307a62 [diff]
BUG/MEDIUM: ssl: don't allocate shctx several time

The shctx_init() function does not check anymore if the pointer is not
NULL, this check must be done is the caller.

The consequence was to allocate one shctx per ssl bind.

Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx")

Thanks to Maciej Zdeb for reporting this bug.

Must be backported to 1.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 84804f7..da6f2de 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -324,7 +324,7 @@
 #define SSL_SOCK_NUM_KEYTYPES 1
 #endif
 
-static struct shared_context *ssl_shctx; /* ssl shared session cache */
+static struct shared_context *ssl_shctx = NULL; /* ssl shared session cache */
 static struct eb_root *sh_ssl_sess_tree; /* ssl shared session tree */
 
 #define sh_ssl_sess_tree_delete(s)	ebmb_delete(&(s)->key);
@@ -4705,24 +4705,24 @@
 			return -1;
 		}
 	}
-
-	alloc_ctx = shctx_init(&ssl_shctx, global.tune.sslcachesize,
-			       sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE,
-			       sizeof(*sh_ssl_sess_tree),
-			       ((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0);
-	if (alloc_ctx < 0) {
-		if (alloc_ctx == SHCTX_E_INIT_LOCK)
-			ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
-		else
-			ha_alert("Unable to allocate SSL session cache.\n");
-		return -1;
+	if (!ssl_shctx) {
+		alloc_ctx = shctx_init(&ssl_shctx, global.tune.sslcachesize,
+		                       sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE,
+		                       sizeof(*sh_ssl_sess_tree),
+		                       ((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0);
+		if (alloc_ctx < 0) {
+			if (alloc_ctx == SHCTX_E_INIT_LOCK)
+				ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
+			else
+				ha_alert("Unable to allocate SSL session cache.\n");
+			return -1;
+		}
+		/* free block callback */
+		ssl_shctx->free_block = sh_ssl_sess_free_blocks;
+		/* init the root tree within the extra space */
+		sh_ssl_sess_tree = (void *)ssl_shctx + sizeof(struct shared_context);
+		*sh_ssl_sess_tree = EB_ROOT_UNIQUE;
 	}
-	/* free block callback */
-	ssl_shctx->free_block = sh_ssl_sess_free_blocks;
-	/* init the root tree within the extra space */
-	sh_ssl_sess_tree = (void *)ssl_shctx + sizeof(struct shared_context);
-	*sh_ssl_sess_tree = EB_ROOT_UNIQUE;
-
 	err = 0;
 	/* initialize all certificate contexts */
 	err += ssl_sock_prepare_all_ctx(bind_conf);