pon., 16 lip 2018 o 08:02 Willy Tarreau <w...@1wt.eu> napisał(a): > This one looks a bit strange. I looked at it a little bit and it corresponds > to the line "free(bind_conf->keys_ref->tlskeys);". Unfortunately, there is no > other line in the code appearing to perfom a free on this element, and when > passing through this code the key_ref is destroyed and properly nulled. I > checked if it was possible for this element not to be allocated and I don't > see how that could happen either. Thus I'm seeing only three possibilities : > > - this element was duplicated and appears at multiple places (multiple list > elements) leading to a real double free > > - there is a memory corruption somewhere possibly resulting in this element > being corrupted and not in fact victim of a double free > > - I can't read code and there is another free that I failed to detect. > > Are you able to trigger this on a trivial config ? Maybe it only happens > when certain features you have in your config are enabled ?
I've reported this some time ago :) https://firstname.lastname@example.org/msg30093.html -- Janusz Dziemidowicz