Fix a possible double-free bug in SSL bufferevents with CLOSE_ON_FREE

With CLOSE_ON_FREE set, we were telling the BIO to free the bufferevent when
it was closed, and also freeing it ourselves.

diff --git a/bufferevent_openssl.c b/bufferevent_openssl.c
index a5aee02d5d4c8b842979ae9416a19299132d8736..86e674b97f9aeacff5fc2d06b3018682f9d7b00b 100644 (file)
--- a/bufferevent_openssl.c
+++ b/bufferevent_openssl.c
@@ -1207,7 +1207,9 @@ bufferevent_openssl_filter_new(struct event_base *base,
     enum bufferevent_ssl_state state,
     int options)
 {
-       int close_flag = options & BEV_OPT_CLOSE_ON_FREE;
+       /* We don't tell the BIO to close the bufferevent; we do it ourselves
+        * on be_openssl_destruct */
+       int close_flag = 0; /* options & BEV_OPT_CLOSE_ON_FREE; */
        BIO *bio;
        if (!underlying)
                return NULL;