Re: relayd: crash with two listen on (one is ssl)
This has been commited, thanks! Erik Lax(e...@halon.se) on 2013.11.19 22:40:38 +0100: Hi, In relayd, if a relay is configured with two listen on directives, one with ssl and one without. In the relay_inherit function the ssl pointers (cert and key) are copied to the latter, and used/freed even if F_SSL is not set. This causes a double free later in purge_relay. relay http { listen on 127.0.0.1 port 4433 ssl listen on 127.0.0.1 port 8080 forward with ssl to 127.0.0.1 port 443 } There following patch fixes this. --- usr.sbin/relayd/parse.y.orig Tue Nov 19 22:10:48 2013 +++ usr.sbin/relayd/parse.y Tue Nov 19 22:09:41 2013 @@ -2809,6 +2809,12 @@ rb-rl_conf.port = rc.port; rb-rl_conf.flags = (ra-rl_conf.flags ~F_SSL) | (rc.flags F_SSL); + if (!(rb-rl_conf.flags F_SSL)) { + rb-rl_ssl_cert = NULL; + rb-rl_conf.ssl_cert_len = 0; + rb-rl_ssl_key = NULL; + rb-rl_conf.ssl_key_len = 0; + } TAILQ_INIT(rb-rl_tables); rb-rl_conf.id = ++last_relay_id; --
relayd: crash with two listen on (one is ssl)
Hi, In relayd, if a relay is configured with two listen on directives, one with ssl and one without. In the relay_inherit function the ssl pointers (cert and key) are copied to the latter, and used/freed even if F_SSL is not set. This causes a double free later in purge_relay. relay http { listen on 127.0.0.1 port 4433 ssl listen on 127.0.0.1 port 8080 forward with ssl to 127.0.0.1 port 443 } There following patch fixes this. --- usr.sbin/relayd/parse.y.origTue Nov 19 22:10:48 2013 +++ usr.sbin/relayd/parse.y Tue Nov 19 22:09:41 2013 @@ -2809,6 +2809,12 @@ rb-rl_conf.port = rc.port; rb-rl_conf.flags = (ra-rl_conf.flags ~F_SSL) | (rc.flags F_SSL); + if (!(rb-rl_conf.flags F_SSL)) { + rb-rl_ssl_cert = NULL; + rb-rl_conf.ssl_cert_len = 0; + rb-rl_ssl_key = NULL; + rb-rl_conf.ssl_key_len = 0; + } TAILQ_INIT(rb-rl_tables); rb-rl_conf.id = ++last_relay_id;