From 01572282ff014446736faf92baab7650261d8213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oto=20=C5=A0=C5=A5=C3=A1va?= <oto.stava@nic.cz>
Date: Thu, 23 Jun 2022 10:14:58 +0200
Subject: [PATCH] daemon/tls: fix a double-free for some cases of
 policy.TLS_FORWARD

The double-free may have happened in some cases when the upstream
resolver was stopped while answering a forwarded query. I was reliably
reproducing it by running resperf on two kresd instances with one forwarded
to the other, and killing the upstream one.
---
 NEWS         | 1 +
 daemon/tls.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index de2f5b277..b0a3b467a 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ Improvements
 Bugfixes
 --------
 - daemon/http: improved URI checks to fix some proxies (#746, !1311)
+- daemon/tls: fixed a double-free for some cases of policy.TLS_FORWARD (!1314)
 
 
 Knot Resolver 5.5.1 (2022-06-14)
diff --git a/daemon/tls.c b/daemon/tls.c
index 44a28b549..8d69d8567 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -389,6 +389,8 @@ void tls_client_close(struct tls_client_ctx *ctx)
 	/* Store the current session data for potential resumption of this session */
 	if (ctx->params) {
 		gnutls_free(ctx->params->session_data.data);
+		ctx->params->session_data.data = NULL;
+		ctx->params->session_data.size = 0;
 		gnutls_session_get_data2(ctx->c.tls_session, &ctx->params->session_data);
 	}
 
-- 
GitLab