From 3e6d030ce281bbd3e4d8205171fb0fa678cad306 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Fri, 13 Feb 2026 13:30:24 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: SSL backend sessions used after free This bug impacts only the backends. The sessions cached could be used after been freed because of a missing write lock into ssl_sock_handle_hs_error() when freeing such objects. This issue could be rarely reproduced and only with QUIC with difficulties (random CRYPTO data corruptions and instrumented code). Must be backported as far as 2.6. --- src/ssl_sock.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 291aa9467..c1ebf7c35 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6008,8 +6008,9 @@ void ssl_sock_handle_hs_error(struct connection *conn) * another thread */ HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock); - if (s->ssl_ctx.reused_sess[tid].ptr) - ha_free(&s->ssl_ctx.reused_sess[tid].ptr); + HA_RWLOCK_WRLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.reused_sess[tid].sess_lock); + ha_free(&s->ssl_ctx.reused_sess[tid].ptr); + HA_RWLOCK_WRUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.reused_sess[tid].sess_lock); HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock); }