Make removal from session cache more robust.
authorLutz Jänicke <jaenicke@openssl.org>
Sun, 10 Feb 2002 12:46:41 +0000 (12:46 +0000)
committerLutz Jänicke <jaenicke@openssl.org>
Sun, 10 Feb 2002 12:46:41 +0000 (12:46 +0000)
CHANGES
ssl/ssl_sess.c

diff --git a/CHANGES b/CHANGES
index e17a661..4db9aad 100644 (file)
--- a/CHANGES
+++ b/CHANGES
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 
-  +) Do not store session data into the internal session cache, if it
+  *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
+     check whether we deal with a copy of a session and do not delete from
+     the cache in this case. Problem reported by "Izhar Shoshani Levi"
+     <izhar@checkpoint.com>.
+     [Lutz Jaenicke]
+
+  *) Do not store session data into the internal session cache, if it
      is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
      flag is set). Proposed by Aslam <aslam@funk.com>.
      [Lutz Jaenicke]
index 9078d75..6424f77 100644 (file)
@@ -474,10 +474,10 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
        if ((c != NULL) && (c->session_id_length != 0))
                {
                if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-               r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
-               if (r != NULL)
+               if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
                        {
                        ret=1;
+                       r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
                        SSL_SESSION_list_remove(ctx,c);
                        }