diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2014-04-18 20:13:24 +0400 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2014-04-18 20:13:24 +0400 |
| commit | 93eb94d622093829da4bd4c3e0af16b360e912e4 (patch) | |
| tree | 1b2edc57acda69d0dfc8f3322a18a1584435ceb9 /src | |
| parent | 6c9c973aa77b68a9adb1d0814ef5920aaf0ef157 (diff) | |
| download | nginx-93eb94d622093829da4bd4c3e0af16b360e912e4.tar.gz nginx-93eb94d622093829da4bd4c3e0af16b360e912e4.zip | |
Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.
In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/modules/ngx_http_proxy_module.c | 16 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_uwsgi_module.c | 16 |
2 files changed, 16 insertions, 16 deletions
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index 8ee32f491..9e2cf619f 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -3774,6 +3774,14 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) return NGX_ERROR; } + cln = ngx_pool_cleanup_add(cf->pool, 0); + if (cln == NULL) { + return NGX_ERROR; + } + + cln->handler = ngx_ssl_cleanup_ctx; + cln->data = plcf->upstream.ssl; + if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx, (const char *) plcf->ssl_ciphers.data) == 0) @@ -3784,14 +3792,6 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) return NGX_ERROR; } - cln = ngx_pool_cleanup_add(cf->pool, 0); - if (cln == NULL) { - return NGX_ERROR; - } - - cln->handler = ngx_ssl_cleanup_ctx; - cln->data = plcf->upstream.ssl; - return NGX_OK; } diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c index 17dfc3b3a..80d6cde40 100644 --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -2012,6 +2012,14 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) return NGX_ERROR; } + cln = ngx_pool_cleanup_add(cf->pool, 0); + if (cln == NULL) { + return NGX_ERROR; + } + + cln->handler = ngx_ssl_cleanup_ctx; + cln->data = uwcf->upstream.ssl; + if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx, (const char *) uwcf->ssl_ciphers.data) == 0) @@ -2022,14 +2030,6 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) return NGX_ERROR; } - cln = ngx_pool_cleanup_add(cf->pool, 0); - if (cln == NULL) { - return NGX_ERROR; - } - - cln->handler = ngx_ssl_cleanup_ctx; - cln->data = uwcf->upstream.ssl; - return NGX_OK; } |