Ticket #47375 - flush_ber error sending back start_tls response will deadlock
https://fedorahosted.org/389/ticket/47375
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: The deadlock is caused by the client (or intermediary network
device) closing the connection while the server is attempting to write to the
client, to send back the start tls "success" response. The server will lock
the c_mutex to disconnect the connection in this error case. Since the c_mutex
has already been locked in start_tls(), the server will deadlock. The polling
thread will also attempt to lock c_mutex, deadlocking it too, and the server
will become completely unresponsive. The fix for this part is to make sure
never to call send_ldap_result with c_mutex locked.
After the server sends back the "success" response, if the
client immediately issues a TLS session negotiation, the server may not
have yet completely set up the socket for TLS, and will attempt to use the
partially setup socket, which can crash. The fix for this is to setup the
socket for TLS IO using a Conn_IO_Layer callback, to establish the TLS IO
for the connection before the next read() operation.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit ae38b5fc5a40247e52bab960146ed23b286e05f6)