BUG/MEDIUM: ssl/cli: trying to access to free'd memory

Bug introduced by d9d5d1b ("MINOR: ssl: free instances and SNIs with
ckch_inst_free()").

Upon an 'commit ssl cert' the HA_RWLOCK_WRUNLOCK of the SNI lock is done
with using the bind_conf pointer of the ckch_inst which was freed.

Fix the problem by using an intermediate variable to store the
bind_conf pointer.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e2713ab24b7a8cb1b2e28a323c2363f2dc07a60b..215dcc00f0ce674873c5a248c1a83fa65e9b1849 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -12010,9 +12010,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 
                                /* delete the old sni_ctx, the old ckch_insts and the ckch_store */
                                list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
-                                       HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+                                       struct bind_conf *bind_conf = ckchi->bind_conf;
+
+                                       HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
                                        ckch_inst_free(ckchi);
-                                       HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
+                                       HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
                                }
 
                                /* Replace the old ckchs by the new one */