From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 7 Feb 2024 15:38:42 +0000 (+0100)
Subject: BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
X-Git-Tag: v2.9.5~34
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=f41ddcb;p=haproxy-2.9.git

BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line

When deleting a crt-list line through a "del ssl crt-list" call on the
CLI, we ended up free'ing the corresponding ckch instances without fully
clearing their contents. It left some dangling references on other
objects because the attache SSL_CTX was not deleted, as well as all the
ex_data referenced by it (OCSP responses for instance).

This patch can be backported up to branch 2.4.

(cherry picked from commit 23cab33b67dd9dc76de936f47dfa23b1a8ee40e5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 9ea5ea0..dcd9171 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -1530,7 +1530,7 @@ static int cli_parse_del_crtlist(char **args, char *payload, struct appctx *appc
 			LIST_DELETE(&link_ref->list);
 			free(link_ref);
 		}
-		free(inst);
+		ckch_inst_free(inst);
 	}
 
 	crtlist_free_filters(entry->filters);