Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit crash

Squid may crash when SquidConfig global destruction is initiated by exit() handlers. The problem is that when its non-POD ssl_client::sslContext field is destructed and and SSL_CTX_free() cleanup starts, some of the required SSL environment may be already unavailable. Now we avoid these problems by allocating ssl_client::sslContext dynamically and ensuring that its destructor never starts.
measurement-factory · Nov 17, 2024 · e6f30ce · e6f30ce
1 parent c8ea6a3
commit e6f30ce
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/src/SquidConfig.h b/src/SquidConfig.h
@@ -505,7 +505,7 @@ class SquidConfig
     struct {
         Security::FuturePeerContext *defaultPeerContext;
         // TODO: Remove when FuturePeerContext above becomes PeerContext
-        Security::ContextPointer sslContext;
+        Security::ContextPointer *sslContext;
 #if USE_OPENSSL
         char *foreignIntermediateCertsPath;
         acl_access *cert_error;

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
@@ -959,18 +959,18 @@ configDoConfigure(void)
 
     if (Security::ProxyOutgoingConfig.encryptTransport) {
         debugs(3, 2, "initializing https:// proxy context");
-        Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createClientContext(false);
-        if (!Config.ssl_client.sslContext) {
+        Config.ssl_client.sslContext = new Security::ContextPointer(Security::ProxyOutgoingConfig.createClientContext(false));
+        if (!Config.ssl_client.sslContext->get()) {
 #if USE_OPENSSL
             fatal("ERROR: Could not initialize https:// proxy context");
 #else
             debugs(3, DBG_IMPORTANT, "ERROR: proxying https:// currently still requires --with-openssl");
 #endif
         }
 #if USE_OPENSSL
-        Ssl::useSquidUntrusted(Config.ssl_client.sslContext.get());
+        Ssl::useSquidUntrusted(Config.ssl_client.sslContext->get());
 #endif
-        Config.ssl_client.defaultPeerContext = new Security::FuturePeerContext(Security::ProxyOutgoingConfig, Config.ssl_client.sslContext);
+        Config.ssl_client.defaultPeerContext = new Security::FuturePeerContext(Security::ProxyOutgoingConfig, *(Config.ssl_client.sslContext));
     }
 
     for (const auto &p: CurrentCachePeers()) {
@@ -3912,8 +3912,9 @@ configFreeMemory(void)
     free_all();
     Dns::ResolveClientAddressesAsap = false;
     delete Config.ssl_client.defaultPeerContext;
+    delete Config.ssl_client.sslContext;
     Config.ssl_client.defaultPeerContext = nullptr;
-    Config.ssl_client.sslContext.reset();
+    Config.ssl_client.sslContext = nullptr;
 #if USE_OPENSSL
     Ssl::unloadSquidUntrusted();
 #endif