mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-10-26 14:10:59 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: acme: don't unlink from acme_ctx_destroy()

Browse Source 
Unlinking the acme_ctx element from acme_ctx_destroy() requires to have
the element unlocked, because MT_LIST_DELETE() locks the element.

acme_ctx_destroy() frees the data from acme_ctx with the ctx still
linked and unlocked, then lock to unlink. So there's a small risk of
accessing acme_ctx from somewhere else. The only way to do that would be
to use the `acme challenge_ready` CLI command at the same time.

Fix the issue by doing a mt_list_unlock_link() and a
mt_list_unlock_self() to unlink the element under the lock, then destroy
the element.

This must be backported in 3.2.
This commit is contained in:
William Lallemand 2025-09-27 18:38:17 +02:00
parent 6499c0a0d5
commit 406fd0ceb1
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/acme.c
View File

@ -845,7 +845,6 @@ static void acme_ctx_destroy(struct acme_ctx *ctx)
X509_REQ_free(ctx->req); X509_REQ_free(ctx->req);
MT_LIST_DELETE(&ctx->el);
free(ctx); free(ctx);
} }
@ -2362,8 +2361,10 @@ abort:
ha_free(&errmsg); ha_free(&errmsg);
end: end:
MT_LIST_UNLOCK_FULL(&ctx->el, tmp);
acme_del_acme_ctx_map(ctx); acme_del_acme_ctx_map(ctx);
/* unlink ctx from the mtlist then destroy */
mt_list_unlock_link(tmp);
mt_list_unlock_self(&ctx->el);
acme_ctx_destroy(ctx); acme_ctx_destroy(ctx);
task_destroy(task); task_destroy(task);
task = NULL; task = NULL;