From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 28 Feb 2023 16:46:19 +0000 (+0100)
Subject: MINOR: ssl: Reinsert ocsp update entries later in case of unknown error
X-Git-Tag: v2.8-dev5~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6de7b78c9f92b3bac00e8fc678077aa6aa440876;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Reinsert ocsp update entries later in case of unknown error

In case of allocation error during the construction of an OCSP request
for instance, we would have ended reinserting the ocsp entry at the same
place in the ocsp update tree which could potentially lead to an
"endless" loop of errors in ssl_ocsp_update_responses. In such a case,
entries are now reinserted further in the tree (1 minute later) in order
to avoid such a chain of alloc failure.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index ef624b0733..f23531aa7e 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1150,7 +1150,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
 leave:
 	if (ctx->cur_ocsp) {
 		/* Something went wrong, reinsert the entry in the tree. */
-		ssl_ocsp_update_insert(ctx->cur_ocsp);
+		ssl_ocsp_update_insert_after_error(ctx->cur_ocsp);
 		/* Release the reference kept on the updated ocsp response. */
 		ssl_sock_free_ocsp(ctx->cur_ocsp);
 		ctx->cur_ocsp = NULL;