BUG/MEDIUM: ssl/cli: trying to access to free'd memory Bug introduced by d9d5d1b ("MINOR: ssl: free instances and SNIs with ckch_inst_free()"). Upon an 'commit ssl cert' the HA_RWLOCK_WRUNLOCK of the SNI lock is done with using the bind_conf pointer of the ckch_inst which was freed. Fix the problem by using an intermediate variable to store the bind_conf pointer.

commit: d5e9377312eb9d64351a878f7d3f7d4a231bdb55 [log] [tgz]
author: William Lallemand <wlallemand@haproxy.com> Thu Apr 09 17:12:16 2020 +0200
committer: William Lallemand <wlallemand@haproxy.org> Thu Apr 09 17:12:16 2020 +0200
tree: 66892ac4a7449beab4acec9d9b038b0cce827e84
parent: ba1c33f8262e40ea3c334a2db4eba18e7e481364 [diff] [blame]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e2713ab..215dcc0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -12010,9 +12010,11 @@
 
 				/* delete the old sni_ctx, the old ckch_insts and the ckch_store */
 				list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
-					HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+					struct bind_conf *bind_conf = ckchi->bind_conf;
+
+					HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
 					ckch_inst_free(ckchi);
-					HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+					HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
 				}
 
 				/* Replace the old ckchs by the new one */
commit	d5e9377312eb9d64351a878f7d3f7d4a231bdb55	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.com>	Thu Apr 09 17:12:16 2020 +0200
committer	William Lallemand <wlallemand@haproxy.org>	Thu Apr 09 17:12:16 2020 +0200
tree	66892ac4a7449beab4acec9d9b038b0cce827e84
parent	ba1c33f8262e40ea3c334a2db4eba18e7e481364 [diff] [blame]