Skip to content

openssl: fix fd double-close in relpTcpDestruct#292

Open
rmetrich wants to merge 1 commit into
rsyslog:masterfrom
rmetrich:openssl-EBADF
Open

openssl: fix fd double-close in relpTcpDestruct#292
rmetrich wants to merge 1 commit into
rsyslog:masterfrom
rmetrich:openssl-EBADF

Conversation

@rmetrich

@rmetrich rmetrich commented Jul 2, 2026

Copy link
Copy Markdown

relpTcpDestruct() closed the socket fd before calling relpTcpDestructTLS(), causing SSL_shutdown() to operate on an already-closed fd. Additionally, BIO_new_socket() was called with BIO_CLOSE, making SSL_free() close the fd a second time via the BIO destructor. Strace on every TLS teardown:

  shutdown(12, SHUT_RDWR) = 0
  close(12)               = 0           # relpTcpDestruct
  write(12, ...)          = -1 EBADF    # SSL_shutdown on closed fd
  close(12)               = -1 EBADF    # SSL_free BIO_CLOSE

Fix:

  • Move relpTcpDestructTLS() before the socket close so SSL_shutdown() can send the close_notify on a valid fd.
  • Change BIO_new_socket() from BIO_CLOSE to BIO_NOCLOSE so SSL_free() does not close the fd.

Summary by cubic

Fixes EBADF errors and fd double-close in TLS teardown by destroying TLS before closing the socket and ensuring OpenSSL doesn’t close or free the socket/BIO.

  • Bug Fixes
    • Call relpTcpDestructTLS() before shutdown/close so SSL_shutdown() runs on a valid fd and sends close_notify.
    • Create the BIO with BIO_NOCLOSE and transfer ownership to SSL (SSL_set_bio(...); conn = NULL) so SSL_free() doesn’t close or double-free the socket/BIO.

Written for commit 940cd18. Summary will update on new commits.

Review in cubic

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies src/tcp.c to call relpTcpDestructTLS earlier in relpTcpDestruct and changes the OpenSSL socket BIO creation to use BIO_NOCLOSE instead of BIO_CLOSE. Feedback highlights a potential double-free vulnerability in relpTcpConnectTLSInit_ossl on error paths where BIO_free is manually called after ownership of the BIO has already been transferred to the SSL structure.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread src/tcp.c

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Confidence score: 2/5

  • In src/tcp.c around the SSL_set_bio(pThis->ssl, conn, conn) call, BIO ownership appears to be mishandled (the SSL object takes ownership, with only one reference consumed when the same BIO is used twice), which can lead to a double-free/use-after-free or leak during connection teardown; adjust the post-call lifetime management to match OpenSSL ownership rules before merging.

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread src/tcp.c
relpTcpDestruct() closed the socket fd before calling
relpTcpDestructTLS(), causing SSL_shutdown() to operate on an
already-closed fd. Additionally, BIO_new_socket() was called with
BIO_CLOSE, making SSL_free() close the fd a second time via the BIO
destructor. Strace on every TLS teardown:

  shutdown(12, SHUT_RDWR) = 0
  close(12)               = 0           # relpTcpDestruct
  write(12, ...)          = -1 EBADF    # SSL_shutdown on closed fd
  close(12)               = -1 EBADF    # SSL_free BIO_CLOSE

Fix:
- Move relpTcpDestructTLS() before the socket close so SSL_shutdown()
  can send the close_notify on a valid fd.
- Change BIO_new_socket() from BIO_CLOSE to BIO_NOCLOSE so SSL_free()
  does not close the fd.
@rgerhards rgerhards self-assigned this Jul 2, 2026
@rgerhards rgerhards added the bug label Jul 2, 2026
@rmetrich

rmetrich commented Jul 2, 2026

Copy link
Copy Markdown
Author

The coverage / test error is something wrong on CI side.

@rgerhards

Copy link
Copy Markdown
Member

The coverage / test error is something wrong on CI side.

I agree

@rmetrich

rmetrich commented Jul 9, 2026

Copy link
Copy Markdown
Author

@rgerhards Is there something wrong with my PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants