mirror/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git synced 2026-02-15 18:52:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ocsp: Crash when updating CA during ocsp updates

Browse Source 
If an ocsp response is set to be updated automatically and some
certificate or CA updates are performed on the CLI, if the CLI update
happens while the OCSP response is being updated and is then detached
from the udapte tree, it might be wrongly inserted into the update tree
in 'ssl_sock_load_ocsp', and then reinserted when the update finishes.

The update tree then gets corrupted and we could end up crashing when
accessing other nodes in the ocsp response update tree.

This patch must be backported up to 2.8.
This patch fixes GitHub #3100.
This commit is contained in:
Remi Tricot-Le Breton
2025-09-08 15:44:23 +02:00
committed by Christopher Faulet
parent 157852ce99
commit 167ea8fc7b
3 changed files with 27 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_ocsp.h
View File

@@ -53,7 +53,7 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
int ssl_create_ocsp_update_task(char **err);
void ssl_destroy_ocsp_update_task(void);
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking);
int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);