RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: Fix a UAF when old ckch instances are released 

When old chck instances is released at the end of "commit ssl ca-file" or
"commit ssl crl-file" commands, the link is released. But we walk through
the list using the unsafe macro. list_for_each_entry_safe() must be used.

This bug was introduced by commit 056ad01d5 ("BUG/MINOR: ssl: leak of
ckch_inst_link in ckch_inst_free()"). Thus this patch must be backported as
far as 2.5.
This commit is contained in:
Christopher Faulet 2022-08-30 16:27:49 +02:00
parent f611248d8c
commit ddd480cbdc
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl_ckch.c
View File

@ -2810,7 +2810,7 @@ static int cli_io_handler_commit_cafile_crlfile(struct appctx *appctx)
int y = 0;
struct cafile_entry *old_cafile_entry = ctx->old_entry;
struct cafile_entry *new_cafile_entry = ctx->new_entry;
struct ckch_inst_link *ckchi_link;
struct ckch_inst_link *ckchi_link, *ckchi_link_back;
char *path;
if (unlikely(sc_ic(sc)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
@ -2910,7 +2910,7 @@ static int cli_io_handler_commit_cafile_crlfile(struct appctx *appctx)
}
/* delete the old sni_ctx, the old ckch_insts and the ckch_store */
list_for_each_entry(ckchi_link, &old_cafile_entry->ckch_inst_link, list) {
list_for_each_entry_safe(ckchi_link, ckchi_link_back, &old_cafile_entry->ckch_inst_link, list) {
__ckch_inst_free_locked(ckchi_link->ckch_inst);
}