upstream: Move clearing TLS session from prepare phase to destroy phase

This is because lifecycle of TLS is not synchronized with the current
implementation.

Somewhere, we observed:

Our observation “TLS is freed too early in the upstream prepare-destroy phase
→ UAF risk” case is existing in the current code base.

So, even with Keepalive enabled, our Fluent Bit code base shows multiple conditions where
the TLS session is freed during the “prepare destroy” step,
which can race with async I/O and cause a use-after-free in ssl_write_internal.
Moving TLS freeing to the final destroy_conn() phase mitigates this.

Signed-off-by: Hiroshi Hatake <[email protected]>

Author: cosmo0920

src/flb_upstream.c

@@ -515,13 +515,6 @@ static int prepare_destroy_conn(struct flb_connection *u_conn)
     }
 
     if (u_conn->fd > 0) {
-#ifdef FLB_HAVE_TLS
-        if (u_conn->tls_session != NULL) {
-            flb_tls_session_destroy(u_conn->tls_session);
-
-            u_conn->tls_session = NULL;
-        }
-#endif
         shutdown_connection(u_conn);
 
         flb_socket_close(u_conn->fd);
@@ -572,6 +565,15 @@ static int destroy_conn(struct flb_connection *u_conn)
         return 0;
     }
 
+    /* Delay to destroy TLS session for safety */
+#ifdef FLB_HAVE_TLS
+        if (u_conn->tls_session != NULL) {
+            flb_tls_session_destroy(u_conn->tls_session);
+
+            u_conn->tls_session = NULL;
+        }
+#endif
+
     mk_list_del(&u_conn->_head);
 
     flb_connection_destroy(u_conn);