From 88dd3cf6033b336ff5635189464cd82e8047732d Mon Sep 17 00:00:00 2001
From: Florin Coras <fcoras@cisco.com>
Date: Sat, 1 May 2021 19:01:42 -0700
Subject: [PATCH] tls: cleanup dtls migrated context

Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I433cc1b7a29f785a431618641317bbfbbe2cf2f4
---
 src/plugins/tlsopenssl/tls_openssl.c | 13 +++++++++----
 src/vnet/tls/tls.c                   | 11 +++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 4278c34403d..df8f167cb1f 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -61,15 +61,20 @@ openssl_ctx_free (tls_ctx_t * ctx)
 {
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
 
-  if (SSL_is_init_finished (oc->ssl) && !ctx->is_passive_close)
-    SSL_shutdown (oc->ssl);
+  /* Cleanup ssl ctx unless migrated */
+  if (!ctx->is_migrated)
+    {
+      if (SSL_is_init_finished (oc->ssl) && !ctx->is_passive_close)
+	SSL_shutdown (oc->ssl);
 
-  SSL_free (oc->ssl);
+      SSL_free (oc->ssl);
+      vec_free (ctx->srv_hostname);
 
 #ifdef HAVE_OPENSSL_ASYNC
   openssl_evt_free (ctx->evt_index, ctx->c_thread_index);
 #endif
-  vec_free (ctx->srv_hostname);
+    }
+
   pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index],
 		  oc->openssl_ctx_index);
 }
diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index 634d231494d..57dcc7fbb54 100644
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -617,7 +617,7 @@ tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf)
 }
 
 static void
-dtls_migrate_udp (void *arg)
+dtls_migrate_ctx (void *arg)
 {
   tls_ctx_t *ctx = (tls_ctx_t *) arg;
   u32 ctx_handle, thread_index;
@@ -641,15 +641,18 @@ static void
 dtls_session_migrate_callback (session_t *us, session_handle_t new_sh)
 {
   u32 new_thread = session_thread_from_handle (new_sh);
-  tls_ctx_t *ctx;
+  tls_ctx_t *ctx, *cloned_ctx;
 
   /* Migrate dtls context to new thread */
   ctx = tls_ctx_get_w_thread (us->opaque, us->thread_index);
   ctx->tls_session_handle = new_sh;
-  ctx = tls_ctx_detach (ctx);
+  cloned_ctx = tls_ctx_detach (ctx);
   ctx->is_migrated = 1;
 
-  session_send_rpc_evt_to_thread (new_thread, dtls_migrate_udp, (void *) ctx);
+  session_send_rpc_evt_to_thread (new_thread, dtls_migrate_ctx,
+				  (void *) cloned_ctx);
+
+  tls_ctx_free (ctx);
 }
 
 static session_cb_vft_t tls_app_cb_vft = {
-- 
2.16.6