From acfe628b6e093e64d1fba5fea1d5f9b3a7d119cc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Lutz=20J=C3=A4nicke?= Date: Sun, 10 Feb 2002 12:46:41 +0000 Subject: [PATCH] Make removal from session cache more robust. --- CHANGES | 8 +++++++- ssl/ssl_sess.c | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index e17a661e91..4db9aadf87 100644 --- a/CHANGES +++ b/CHANGES @@ -13,7 +13,13 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only - +) Do not store session data into the internal session cache, if it + *) Make removal from session cache (SSL_CTX_remove_session()) more robust: + check whether we deal with a copy of a session and do not delete from + the cache in this case. Problem reported by "Izhar Shoshani Levi" + . + [Lutz Jaenicke] + + *) Do not store session data into the internal session cache, if it is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP flag is set). Proposed by Aslam . [Lutz Jaenicke] diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9078d759f5..6424f775e2 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -474,10 +474,10 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if ((c != NULL) && (c->session_id_length != 0)) { if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - r=(SSL_SESSION *)lh_delete(ctx->sessions,c); - if (r != NULL) + if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c) { ret=1; + r=(SSL_SESSION *)lh_delete(ctx->sessions,c); SSL_SESSION_list_remove(ctx,c); } -- 2.25.1