From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 8 Apr 2020 08:30:44 +0000 (+0200)
Subject: BUG/MINOR: ssl/cli: lock the ckch structures during crt-list delete
X-Git-Tag: v2.2-dev6~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=463b5242985f01d0d162b6eb74c9ca0da728f3e1;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/cli: lock the ckch structures during crt-list delete

The cli_parse_del_crtlist() does unlock the ckch big lock, but it does
not lock it at the beginning of the function which is dangerous.
As a side effect it let the structures locked once it called the unlock.

This bug was introduced by 0a9b941 ("MINOR: ssl/cli: 'del ssl crt-list'
delete an entry")
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b1670456bb..e9166053ff 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -11512,6 +11512,9 @@ static int cli_parse_del_crtlist(char **args, char *payload, struct appctx *appc
 	if (!*args[3] || !*args[4])
 		return cli_err(appctx, "'del ssl crtlist' expects a filename and a certificate name\n");
 
+	if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
+		return cli_err(appctx, "Can't delete!\nOperations on certificates are currently locked!\n");
+
 	crtlist_path = args[3];
 	cert_path = args[4];