From 86df0e206e94ebfc2a87bf60ec74e86cc0235ffa Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 16 Feb 2026 15:22:47 +0100 Subject: [PATCH] BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser In post_section_frontend_crt_init(), the crt_entry is populated by the ssl_conf fromt the cfg_crt_node. On error path, the crt_list is completely freed, including the ssl_conf structure. But the ssl_conf structure was already freed when freeing the cfg_crt_node. Fix the issue by doing a crtlist_dup_ssl_conf(n->ssl_conf) in the crtlist_entry instead of an assignation. Fix issue #3268. Need to be backported as far as 3.2. The previous patch which adds the crtlist_dup_ssl_conf() declaration is needed. --- src/cfgparse-ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 660f88b42..a81f3efe1 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -2558,7 +2558,7 @@ static int post_section_frontend_crt_init() } /* must set the ssl_conf in case of duplication of the crtlist_entry */ - entry->ssl_conf = n->ssl_conf; + entry->ssl_conf = crtlist_dup_ssl_conf(n->ssl_conf); err_code |= crtlist_load_crt(n->ckch_conf->crt, n->ckch_conf, newlist, entry, n->filename, n->linenum, &err); if (err_code & ERR_CODE)