BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser

In post_section_frontend_crt_init(), the crt_entry is populated by the
ssl_conf fromt the cfg_crt_node. On error path, the crt_list is
completely freed, including the ssl_conf structure. But the ssl_conf
structure was already freed when freeing the cfg_crt_node.

Fix the issue by doing a crtlist_dup_ssl_conf(n->ssl_conf) in the
crtlist_entry instead of an assignation.

Fix issue #3268.

Need to be backported as far as 3.2. The previous patch which adds the
crtlist_dup_ssl_conf() declaration is needed.

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 660f88b429300e2d5f04f91d3bea0c62a374b941..a81f3efe1719a6cd644b183baf17a0fce0574b46 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -2558,7 +2558,7 @@ static int post_section_frontend_crt_init()
                }
 
                /* must set the ssl_conf in case of duplication of the crtlist_entry */
-               entry->ssl_conf = n->ssl_conf;
+               entry->ssl_conf = crtlist_dup_ssl_conf(n->ssl_conf);
 
                err_code |= crtlist_load_crt(n->ckch_conf->crt, n->ckch_conf, newlist, entry, n->filename, n->linenum, &err);
                if (err_code & ERR_CODE)