From d5e9377312eb9d64351a878f7d3f7d4a231bdb55 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 9 Apr 2020 17:12:16 +0200
Subject: [PATCH] BUG/MEDIUM: ssl/cli: trying to access to free'd memory

Bug introduced by d9d5d1b ("MINOR: ssl: free instances and SNIs with
ckch_inst_free()").

Upon an 'commit ssl cert' the HA_RWLOCK_WRUNLOCK of the SNI lock is done
with using the bind_conf pointer of the ckch_inst which was freed.

Fix the problem by using an intermediate variable to store the
bind_conf pointer.
---
 src/ssl_sock.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e2713ab..215dcc0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -12010,9 +12010,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 
 				/* delete the old sni_ctx, the old ckch_insts and the ckch_store */
 				list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
-					HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+					struct bind_conf *bind_conf = ckchi->bind_conf;
+
+					HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
 					ckch_inst_free(ckchi);
-					HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+					HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
 				}
 
 				/* Replace the old ckchs by the new one */
-- 
1.7.10.4