summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven Luong <sluong@cisco.com>2022-11-03 14:34:07 -0700
committersteven luong <sluong@cisco.com>2022-11-03 21:46:40 +0000
commit208e7dc3627385593973212fa09262d4384cc42b (patch)
tree96022254c85c16b6c2f83cce3cacdd8f2d7dc797
parente69d97438530511a1b71216f1460fe1a8c1450fe (diff)
tls: crash in mbedtls due to ctx is already free
_clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fffb3a7e1b5 "%s:%d (%s) assertion `%s' fails") at src/vppinfra/error.c:143 mbedtls_ctx_get (ctx_index=0) at src/plugins/tlsmbedtls/tls_mbedtls.c:114 tls_ctx_get (ctx_handle=536870912) at src/vnet/tls/tls.c:310 tls_app_session_cleanup (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/tls/tls.c:624 app_worker_cleanup_notify (app_wrk=0x7fffbef95f80, s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/application_worker.c:445 session_cleanup_notify (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/session.c:262 session_free_w_fifos (s=0x7fffbf102040) at src/vnet/session/session.c:268 session_delete (s=0x7fffbf102040) at src/vnet/session/session.c:287 session_transport_delete_notify (tc=0x7fffbdf63c40) at src/vnet/session/session.c:1159 tcp_handle_cleanups (wrk=0x7fffbef46d40, now=133.30033046694487) at src/vnet/tcp/tcp.c:1298 tcp_update_time (now=133.30033046694487, thread_index=2 '\002') at src/vnet/tcp/tcp.c:1309 session_update_time_subscribers (smm=0x7ffff7f75ce0 <session_main>, now=133.30033046694487, thread_index=2) at src/vnet/session/session_node.c:1817 session_queue_node_fn (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1934 dispatch_node (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4722227957546624) at src/vlib/main.c:960 Putting a breakpoint in gdb, I found out ctx was free in mbedtls_app_close. Looking at app_close function in picotls and openssl, I don't see they free ctx and they don't crash when processing cleanup. I am inclined to think that mbedtls_ctx_free should not be called in mbedtls_app_close at src/plugins/tlsmbedtls/tls_mbedtls.c:92 at src/plugins/tlsmbedtls/tls_mbedtls.c:559 at src/vnet/tls/tls.c:360 thread_index=2) at src/vnet/tls/tls.c:762 conn_index=536870912, thread_index=2 '\002') at src/vnet/session/transport.c:332 at src/vnet/session/session.c:1608 elt=0x7fffbdfef3dc) at src/vnet/session/session_node.c:1672 node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1966 node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4721919444027682) at src/vlib/main.c:960 Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: Ic5c13e659aee618c8accee42af9f40931b62f467
-rw-r--r--src/plugins/tlsmbedtls/tls_mbedtls.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c
index a6b968eac14..928b31b4a7f 100644
--- a/src/plugins/tlsmbedtls/tls_mbedtls.c
+++ b/src/plugins/tlsmbedtls/tls_mbedtls.c
@@ -555,7 +555,6 @@ mbedtls_app_close (tls_ctx_t * ctx)
{
tls_disconnect_transport (ctx);
session_transport_delete_notify (&ctx->connection);
- mbedtls_ctx_free (ctx);
return 0;
}