Mercurial > hg > nginx

diff src/http/modules/ngx_http_proxy_module.c @ 5659:3fb6615bb87f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: plugged potential memory leak on reload. The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in SSL context leak. In theory, ngx_pool_cleanup_add() may fail too, but this case is intentionally left out for now as it's almost impossible and proper fix will require changes to http ssl and mail ssl code as well.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 18 Apr 2014 20:13:24 +0400
parents d15822784cf9
children 7022564a9e0e
line wrap: on
line diff
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -3774,6 +3774,14 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
+    cln = ngx_pool_cleanup_add(cf->pool, 0);
+    if (cln == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln->handler = ngx_ssl_cleanup_ctx;
+    cln->data = plcf->upstream.ssl;
+
     if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
                                 (const char *) plcf->ssl_ciphers.data)
         == 0)
@@ -3784,14 +3792,6 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
-    cln = ngx_pool_cleanup_add(cf->pool, 0);
-    if (cln == NULL) {
-        return NGX_ERROR;
-    }
-
-    cln->handler = ngx_ssl_cleanup_ctx;
-    cln->data = plcf->upstream.ssl;
-
     return NGX_OK;
 }