1.Although it was a low-frequency operation, But we found a serious problem with the code that caused this problem using the openSSL API.

2.reason:
The main process first initializes the TLS module, causing the OpenSSL Error queue to initialize, followed by the fork process, the child process does not initialize in the error queue (multiple processes share the error memory), and the OpenSSL API of multiple child processes may have a double free when the error queue is free

main.cp for init TLS
#ifdef USE_TCP
#ifdef USE_TLS
if (!tls_disable){
if (!tls_loaded()){
LM_WARN("tls support enabled, but no tls engine "
" available (forgot to load the tls module?)\n");
LM_WARN("disabling tls...\n");
tls_disable=1;
} else {
if (pre_init_tls()<0){
LM_CRIT("could not pre-initialize tls, exiting...\n");
goto error;
}
}
}
#endif /* USE_TLS */
#endif /* USE_TCP */

--------->openssl err.c this state , multiple child processes ,share the error memory,and may have a double free when the error queue is free
ERR_STATE *ERR_get_state(void)
{
ERR_STATE *state;
int saveerrno = get_last_sys_error();

if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
return NULL;

if (!RUN_ONCE(&err_init, err_do_init))
return NULL;

state = CRYPTO_THREAD_get_local(&err_thread_local);
if (state == (ERR_STATE*)-1)
return NULL;

if (state == NULL) {
if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
return NULL;

if ((state = OPENSSL_zalloc(sizeof(*state))) == NULL) {
CRYPTO_THREAD_set_local(&err_thread_local, NULL);
return NULL;
}

if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ERR_STATE)
|| !CRYPTO_THREAD_set_local(&err_thread_local, state)) {
ERR_STATE_free(state);
CRYPTO_THREAD_set_local(&err_thread_local, NULL);
return NULL;
}

/* Ignore failures from these */
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
}

set_sys_error(saveerrno);
return state;
}
此致,
敬礼!
姓名宋伟

信令部软件工程师
***@***.***
电话:0571-86849591-3618

---- Replied Message ----
From Henning ***@***.***>Date 12/31/2022 00:26To ***@***.***>Cc ***@***.***> ,
***@***.***>Subject Re: [kamailio/kamailio] limit tls.reload interval to prevent memory corruption in case of to frequent reloads (Issue #3305)

You should only do a tls reload when the you change the certificate. Usually this happes not often, like once a month or so.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.