summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorValentin Bartenev <vbart@nginx.com>2021-03-15 14:57:01 +0300
committerValentin Bartenev <vbart@nginx.com>2021-03-15 14:57:01 +0300
commita1107e859b5f401261d378fc251667bcf2272536 (patch)
treead10383ccc6d0615fe5d2bc08ff94e56ac8752de
parent1950d0aee2bc95f1cb6a07349f11eb5e5f6edf5c (diff)
downloadunit-a1107e859b5f401261d378fc251667bcf2272536.tar.gz
unit-a1107e859b5f401261d378fc251667bcf2272536.tar.bz2
Fixed TLS connection shutdown on errors.
An immediate return statement on connection errors was mistakenly added to the beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS connection finalization procedure. As a result, a TLS connection was left unfinalized if it had been closed prematurely or a fatal protocol error had occurred, which caused memory and socket descriptor leakage. Moreover, in some cases (notably, on handshake errors in tests with kqueue on macOS) the read event was triggered later and nxt_h1p_conn_error() was called the second time; after the change in af93c866b4f0, the latter call crashed the router process in an attempt to remove a connection from the idle queue twice.
Diffstat (limited to '')
-rw-r--r--docs/changes.xml14
-rw-r--r--src/nxt_openssl.c4
2 files changed, 14 insertions, 4 deletions
diff --git a/docs/changes.xml b/docs/changes.xml
index b8c76089..d9d25e5c 100644
--- a/docs/changes.xml
+++ b/docs/changes.xml
@@ -11,6 +11,20 @@
<change type="bugfix">
<para>
+the router process could crash on premature TLS connection close; the bug had
+appeared in 1.17.0.
+</para>
+</change>
+
+<change type="bugfix">
+<para>
+a connection leak occurring on premature TLS connection close; the bug had
+appeared in 1.6.
+</para>
+</change>
+
+<change type="bugfix">
+<para>
a descriptor leak occurring in the router process when removing or
reconfiguring an application; the bug had appeared in 1.19.0.
</para>
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 832d1f0d..3c0212f7 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -720,10 +720,6 @@ nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data)
nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd);
- if (c->socket.error != 0) {
- return;
- }
-
c->read_state = NULL;
tls = c->u.tls;