Hi James, On Thu, Jan 30, 2014 at 11:20:07PM +0000, James Hogarth wrote: > On 30 January 2014 22:21, Lukas Tribus <[email protected]> wrote: > > > Please provide the smallest config you can reproduce the problem with > > and the output of "haproxy -vv". I cannot currently reproduce this. > > > > Sorry I missed config and -vvv : > > [root@localhost ~]# haproxy -vvv > HA-Proxy version 1.5-dev21-6b07bf7 +2013/12/17 > Copyright 2000-2013 Willy Tarreau <[email protected]> (...)
Thank you for this detailed report, this is *very* useful. As you tracked the crash to happen inside openssl, I think you should file a report to centos/redhat because it's a security issue. It's possible that the bug is easier to trigger with haproxy or with a specific version of it than other products, but nevertheless, no lib should ever crash depending on the traffic so I suspect there's an unchecked error code in it causing a NULL pointer to be dereferenced. In 1.5-dev12, I believe we did not yet support SNI, which could be an explanation for the different behaviour between the two versions. I think that the chroot is needed to trigger the bug simply because the glibc does not find a file it looks up, and causes a different return code to be fed to openssl. It would be useful to know if you can also trigger the issue using the legacy openssl library instead of the distro's version (just pick 1.0.0l or 1.0.1f from the site if you're willing to rebuild it). Thanks a lot! Willy
