ports/112054: [Maintainer] www/squid: add vendor patch for Squid bug #1814

Mon Apr 23 21:00:14 UTC 2007

>Number:         112054
>Category:       ports
>Synopsis:       [Maintainer] www/squid: add vendor patch for Squid bug #1814
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 23 21:00:11 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of April 23, 2007.

	
>Description:
Add a patch for Squid bug #1814, see
<http://www.squid-cache.org/bugs/show_bug.cgi?id=1814>. The patchset
is a slightly modified version of the Squid patchset 11375.

Since this patch conflicts with the ICAP patchset and only affects
non-default configurations that have been compiled using the
WITH_SQUID_SSL configuration option, apply the patch only when this
option is enabled. Set IGNORE when both WITH_SQUID_SSL and
WITH_SQUID_ICAP are defined.

Bump PORTREVISION (not strictly necessary because the default
installation and package remain unchanged but maybe helpful to
identify the fixed version).  I leave this to the committer's
discretion.

Added file:
files/extra-patch-changeset_11375
	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: Makefile
===================================================================

--- Makefile	(.../www/squid)	(revision 1152)
+++ Makefile	(.../local/squid)	(revision 1152)
@@ -76,6 +76,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.6.12
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		ftp://ftp.vistech.net/pub/squid/%SUBDIR%/ \
@@ -279,7 +280,11 @@
 			--with-openssl="${OPENSSLBASE}"
 CFLAGS+=	-I${OPENSSLINC}
 LDFLAGS+=	-L${OPENSSLLIB}
+.if defined(WITH_SQUID_ICAP)
+IGNORE=		is currently broken with both ICAP and SSL support enabled because of conflicting patches. This will be resolved for Squid 2.6.13
 .endif
+EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-changeset_11375
+.endif
 .if defined(WITH_SQUID_PINGER)
 CONFIGURE_ARGS+=	--enable-icmp
 libexec+=	pinger
Index: files/extra-patch-changeset_11375
===================================================================
--- files/extra-patch-changeset_11375	(.../www/squid)	(revision 0)
+++ files/extra-patch-changeset_11375	(.../local/squid)	(revision 1152)
@@ -0,0 +1,77 @@
+---------------------
+PatchSet 11375 
+Date: 2007/04/17 09:35:17
+Author: hno
+Branch: SQUID_2_6
+Tag: (none) 
+Log:
+MFC: Bug #1814: SSL memory leak on persistent SSL connections
+
+Memory leak when attemting to reuse SSL-negotiated outgoing connections.
+
+Mainly affects reverse proxy setups using SSL-enabled peers.
+
+Merged changes:
+2007/04/16 23:05:50 hno +8 -6 Bug #1814: SSL memory leak on persistent SSL connections
+
+Members: 
+	src/forward.c:1.120.2.2->1.120.2.3 
+
+Note: this patchset was slightly modified for the FreeBSD port
+      to make it apply cleanly (one hunk removed, path information stripped)
+
+Index: squid/src/forward.c
+===================================================================
+RCS file: /cvsroot/squid/squid/src/forward.c,v
+retrieving revision 1.120.2.2
+retrieving revision 1.120.2.3
+diff -u -r1.120.2.2 -r1.120.2.3
+--- src/forward.c	26 Mar 2007 23:14:09 -0000	1.120.2.2
++++ src/forward.c	17 Apr 2007 09:35:17 -0000	1.120.2.3
+@@ -319,6 +319,7 @@
+     fd_table[fd].ssl = ssl;
+     fd_table[fd].read_method = &ssl_read_method;
+     fd_table[fd].write_method = &ssl_write_method;
++    fd_note(fd, "Negotiating SSL");
+     fwdNegotiateSSL(fd, fwdState);
+ }
+ #endif
+@@ -357,10 +358,6 @@
+ 	comm_close(server_fd);
+     } else {
+ 	debug(17, 3) ("fwdConnectDone: FD %d: '%s'\n", server_fd, storeUrl(fwdState->entry));
+-	fd_note(server_fd, storeUrl(fwdState->entry));
+-	fd_table[server_fd].uses++;
+-	if (fd_table[server_fd].uses == 1 && fs->peer)
+-	    peerConnectSucceded(fs->peer);
+ #if USE_SSL
+ 	if ((fs->peer && fs->peer->use_ssl) ||
+ 	    (!fs->peer && request->protocol == PROTO_HTTPS)) {
+@@ -535,7 +532,7 @@
+ 		hierarchyNote(&fwdState->request->hier, fs->code, fd_table[fd].ipaddr);
+ 	    else
+ 		hierarchyNote(&fwdState->request->hier, fs->code, name);
+-	    fwdConnectDone(fd, COMM_OK, fwdState);
++	    fwdDispatch(fwdState);
+ 	    return;
+ 	} else {
+ 	    /* Discard the persistent connection to not cause
+@@ -653,6 +650,7 @@
+     StoreEntry *entry = fwdState->entry;
+     ErrorState *err;
+     int server_fd = fwdState->server_fd;
++    FwdServer *fs = fwdState->servers;
+     debug(17, 3) ("fwdDispatch: FD %d: Fetching '%s %s'\n",
+ 	fwdState->client_fd,
+ 	RequestMethodStr[request->method],
+@@ -667,6 +665,10 @@
+     assert(entry->ping_status != PING_WAITING);
+     assert(entry->lock_count);
+     EBIT_SET(entry->flags, ENTRY_DISPATCHED);
++    fd_note(server_fd, storeUrl(fwdState->entry));
++    fd_table[server_fd].uses++;
++    if (fd_table[server_fd].uses == 1 && fs->peer)
++	peerConnectSucceded(fs->peer);
+     netdbPingSite(request->host);
+     entry->mem_obj->refresh_timestamp = squid_curtime;
+     if (fwdState->servers && (p = fwdState->servers->peer)) {
>Release-Note:
>Audit-Trail:
>Unformatted:

