From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 9 Apr 2020 15:12:16 +0000 (+0200)
Subject: BUG/MEDIUM: ssl/cli: trying to access to free'd memory
X-Git-Tag: v2.2-dev6~19
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=d5e9377312eb9d64351a878f7d3f7d4a231bdb55;p=haproxy-3.0.git

BUG/MEDIUM: ssl/cli: trying to access to free'd memory

Bug introduced by d9d5d1b ("MINOR: ssl: free instances and SNIs with
ckch_inst_free()").

Upon an 'commit ssl cert' the HA_RWLOCK_WRUNLOCK of the SNI lock is done
with using the bind_conf pointer of the ckch_inst which was freed.

Fix the problem by using an intermediate variable to store the
bind_conf pointer.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e2713ab..215dcc0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -12010,9 +12010,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 
 				/* delete the old sni_ctx, the old ckch_insts and the ckch_store */
 				list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
-					HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+					struct bind_conf *bind_conf = ckchi->bind_conf;
+
+					HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
 					ckch_inst_free(ckchi);
-					HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+					HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
 				}
 
 				/* Replace the old ckchs by the new one */