upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-25 10:42:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Details
Contrib / dev/flags/ (push) Waiting to run
Details
Contrib / dev/haring/ (push) Waiting to run
Details
Contrib / dev/hpack/ (push) Waiting to run
Details
Contrib / dev/poll/ (push) Waiting to run
Details
VTest / Generate Build Matrix (push) Waiting to run
Details
VTest / (push) Blocked by required conditions
Details
Windows / Windows, gcc, all features (push) Waiting to run
Details

Browse source 
In ssl_sock_generate_certificate(), if the LRU cache for generated
certificates is used, the LRU tree is not unlocked on cache miss if the
certificate generation failed. So let's unlock it on error path.

The bug was introduced by the commit fbc98ebcd ("BUG/MEDIUM: ssl: fix error
path on generate-certificates"). So this patch must be backported with the
commit above, so to all stable versions.
This commit is contained in:
Christopher Faulet 2026-05-22 11:36:59 +02:00
parent 75f72c2eb9
commit 04b9215a2e
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/ssl_gencert.c
View file

@ -356,8 +356,10 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
ssl_ctx = (SSL_CTX *)lru->data;
if (!ssl_ctx && lru) {
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
if (!ssl_ctx)
if (!ssl_ctx) {
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
goto error;
}
lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
}
SSL_set_SSL_CTX(ssl, ssl_ctx);