[stunnel-users] [PATCH] only use aysnc-signal-safe functions after fork

Michal Trojnara Michal.Trojnara at mirt.net
Wed Oct 14 19:01:00 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Philip,

I didn't use the patch itself, but I implemented a similar
functionality in stunnel 5.25b2:
https://www.stunnel.org/downloads.html

Best regards,
	Mike

On 14.10.2015 10:41, Philip Craig wrote:
> POSIX requires that multi-threaded processes only use
> async-signal-safe functions after calling fork(). For more info on
> the problems this avoids, see the rationale at: 
> http://pubs.opengroup.org/onlinepubs/9699919799/functions/pthread_atfo
rk.html
>
>  The specific problem this patch solves is that, when there are
> multiple simultaneous requests, stunnel is often hanging on a futex
> syscall when a child process calls free as a result of
> tls_alloc().
> 
> This problem is experienced when using uClibc. I haven't tested,
> but I believe the malloc implementation in glibc does not have this
> problem.
> 
> 
> --- stunnel-5.24.orig/src/client.c +++ stunnel-5.24/src/client.c @@
> -1100,6 +1100,8 @@ NOEXPORT SOCKET connect_local(CLI *c) {
> 
> NOEXPORT SOCKET connect_local(CLI *c) { /* spawn local process */ 
> char *name, host[40], port[6]; +    char *env[10]; +    int i,
> envc; int fd[2], pid; X509 *peer_cert; #ifdef HAVE_PTHREAD_SIGMASK 
> @@ -1115,19 +1117,55 @@ NOEXPORT SOCKET connect_local(CLI *c) { }
> else if(make_sockets(fd)) longjmp(c->err, 1); +
> set_nonblock(fd[1], 0); /* switch back to blocking mode */ + +
> envc = 0; + +    if(!getnameinfo(&c->peer_addr.sa,
> c->peer_addr_len, +            host, 40, port, 6,
> NI_NUMERICHOST|NI_NUMERICSERV)) { +        /* just don't set these
> variables if getnameinfo() fails */ +        env[envc++] =
> str_printf("REMOTE_HOST=%s", host); +        env[envc++] =
> str_printf("REMOTE_PORT=%s", port); +
> if(c->opt->option.transparent_src) { +#ifndef LIBDIR +#define
> LIBDIR "." +#endif +#ifdef MACH64 +            env[envc++] =
> str_dup("LD_PRELOAD_32=" LIBDIR "/libstunnel.so"); +
> env[envc++] = str_dup("LD_PRELOAD_64=" LIBDIR "/" MACH64
> "/libstunnel.so"); +#elif __osf /* for Tru64 _RLD_LIST is used
> instead */ +            env[envc++] = str_dup("_RLD_LIST=" LIBDIR
> "/libstunnel.so:DEFAULT"); +#else +            env[envc++] =
> str_dup("LD_PRELOAD=" LIBDIR "/libstunnel.so"); +#endif +        } 
> +    } + +    if(c->ssl) { +
> peer_cert=SSL_get_peer_certificate(c->ssl); +        if(peer_cert)
> { +
> name=X509_NAME2text(X509_get_subject_name(peer_cert)); +
> env[envc++] = str_printf("SSL_CLIENT_DN=%s", name); +
> name=X509_NAME2text(X509_get_issuer_name(peer_cert)); +
> env[envc++] = str_printf("SSL_CLIENT_I_DN=%s", name); +
> X509_free(peer_cert); +        } +    } + +    env[envc] = NULL;
> 
> pid=fork(); c->pid=(unsigned long)pid; switch(pid) { case -1:    /*
> error */ +        for (i = 0; i < envc; i++) +
> str_free(env[i]); closesocket(fd[0]); closesocket(fd[1]); 
> ioerror("fork"); longjmp(c->err, 1); case  0:    /* child */ -
> tls_alloc(NULL, c->tls, NULL); /* reuse thread-local storage */ 
> closesocket(fd[0]); -        set_nonblock(fd[1], 0); /* switch back
> to blocking mode */ /* dup2() does not copy FD_CLOEXEC flag */ 
> dup2(fd[1], 0); dup2(fd[1], 1); @@ -1135,36 +1173,6 @@ NOEXPORT
> SOCKET connect_local(CLI *c) { dup2(fd[1], 2); closesocket(fd[1]);
> /* not really needed due to FD_CLOEXEC */
> 
> -        if(!getnameinfo(&c->peer_addr.sa, c->peer_addr_len, -
> host, 40, port, 6, NI_NUMERICHOST|NI_NUMERICSERV)) { -
> /* just don't set these variables if getnameinfo() fails */ -
> putenv(str_printf("REMOTE_HOST=%s", host)); -
> putenv(str_printf("REMOTE_PORT=%s", port)); -
> if(c->opt->option.transparent_src) { -#ifndef LIBDIR -#define
> LIBDIR "." -#endif -#ifdef MACH64 -
> putenv("LD_PRELOAD_32=" LIBDIR "/libstunnel.so"); -
> putenv("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so"); -#elif
> __osf /* for Tru64 _RLD_LIST is used instead */ -
> putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT"); -#else -
> putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so"); -#endif -
> } -        } - -        if(c->ssl) { -
> peer_cert=SSL_get_peer_certificate(c->ssl); -
> if(peer_cert) { -
> name=X509_NAME2text(X509_get_subject_name(peer_cert)); -
> putenv(str_printf("SSL_CLIENT_DN=%s", name)); -
> name=X509_NAME2text(X509_get_issuer_name(peer_cert)); -
> putenv(str_printf("SSL_CLIENT_I_DN=%s", name)); -
> X509_free(peer_cert); -            } -        } #ifdef
> HAVE_PTHREAD_SIGMASK sigemptyset(&newmask); 
> sigprocmask(SIG_SETMASK, &newmask, NULL); @@ -1176,11 +1184,13 @@
> NOEXPORT SOCKET connect_local(CLI *c) { signal(SIGTERM, SIG_DFL); 
> signal(SIGQUIT, SIG_DFL); signal(SIGINT, SIG_DFL); -
> execvp(c->opt->exec_name, c->opt->exec_args); +
> execve(c->opt->exec_name, c->opt->exec_args, env); 
> ioerror(c->opt->exec_name); /* execvp failed */ _exit(1); default:
> /* parent */ s_log(LOG_INFO, "Local mode child started (PID=%lu)",
> c->pid); +        for (i = 0; i < envc; i++) +
> str_free(env[i]); closesocket(fd[1]); return fd[0]; } 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWHopMAAoJEC78f/DUFuAUJnwQAKkbfZhC5ctCfJstNQli2syF
oEVo1o0LADUmUGrDYyvmlKI9zZPFshZI0nYSYqPsy8HShSgPFtFn5eP37tl52/6n
ydZ2GtzJS08gVtltB1Rt7TbvX1aAYjwT7YIE1yQi6VzOQNgUYciWJqslB7u4AEuO
dtkx7wPf5vMiOkAJOShR3GVLkjnM9cRDQHo2aAGTMlj2w00NEzOjbkrsU9Ui1IS7
CfS9kYRx75RYuvoDlXwS3S9ri1ZtwmWM2LsF6Au5pfsY6SDHcPrE7wIjzciYskOR
IaA00xWeVbWStVBcGkUAu+a5zcHorgqEPBAPBxrofv45PEiRS311O+Tmlyo+lxrf
NHiSdmHin+4Ggdmg2g5by57YXI7vMJlN6hLuTgZV1SLeoX9nWf5VhfU2eI3EZXG1
g4DIsdtUOkZoOis85pvYTQ7B/bwj5rk+hqFrI3tBQw11NzARjD6mQzBTCyiKSuZI
pB9vrNlPFb1nXfciym/u5p3CVHjSK3pj+2ehQ/B/4szA9iClYrNQhAoldDQvheQc
jthRCEFKXF6obw+PVo/iKTOdGz3c0YKLYrwiiuBN3RvUtnIqDe3WPIyO/Kj+R7wJ
PZIjIuUPElQBkskB4RIpkglDE5dn5O1qAGSMWGQs3zFVfvBTu3uso9mqm6hTX1qG
Ij8h8K+Il9JtwftizDJW
=5GkW
-----END PGP SIGNATURE-----



More information about the stunnel-users mailing list