Hi,
In relayd, if a relay is configured with two "listen on" directives, one
with ssl and one without. In the relay_inherit function the ssl pointers
(cert and key) are copied to the latter, and used/freed even if F_SSL is
not set. This causes a double free later in purge_relay.
relay "http" {
listen on 127.0.0.1 port 4433 ssl
listen on 127.0.0.1 port 8080
forward with ssl to 127.0.0.1 port 443
}
There following patch fixes this.
--- usr.sbin/relayd/parse.y.orig Tue Nov 19 22:10:48 2013
+++ usr.sbin/relayd/parse.y Tue Nov 19 22:09:41 2013
@@ -2809,6 +2809,12 @@
rb->rl_conf.port = rc.port;
rb->rl_conf.flags =
(ra->rl_conf.flags & ~F_SSL) | (rc.flags & F_SSL);
+ if (!(rb->rl_conf.flags & F_SSL)) {
+ rb->rl_ssl_cert = NULL;
+ rb->rl_conf.ssl_cert_len = 0;
+ rb->rl_ssl_key = NULL;
+ rb->rl_conf.ssl_key_len = 0;
+ }
TAILQ_INIT(&rb->rl_tables);
rb->rl_conf.id = ++last_relay_id;
