This has been commited, thanks!
Erik Lax(e...@halon.se) on 2013.11.19 22:40:38 +0100:
> Hi,
>
> In relayd, if a relay is configured with two "listen on" directives, one
> with ssl and one without. In the relay_inherit function the ssl pointers
> (cert and key) are copied to the latter, and used/freed even if F_SSL is
> not set. This causes a double free later in purge_relay.
>
> relay "http" {
> listen on 127.0.0.1 port 4433 ssl
> listen on 127.0.0.1 port 8080
> forward with ssl to 127.0.0.1 port 443
> }
>
> There following patch fixes this.
>
> --- usr.sbin/relayd/parse.y.orig Tue Nov 19 22:10:48 2013
> +++ usr.sbin/relayd/parse.y Tue Nov 19 22:09:41 2013
> @@ -2809,6 +2809,12 @@
> rb->rl_conf.port = rc.port;
> rb->rl_conf.flags =
> (ra->rl_conf.flags & ~F_SSL) | (rc.flags & F_SSL);
> + if (!(rb->rl_conf.flags & F_SSL)) {
> + rb->rl_ssl_cert = NULL;
> + rb->rl_conf.ssl_cert_len = 0;
> + rb->rl_ssl_key = NULL;
> + rb->rl_conf.ssl_key_len = 0;
> + }
> TAILQ_INIT(&rb->rl_tables);
>
> rb->rl_conf.id = ++last_relay_id;
>
--
