From 9371c28c28311f34d03c6e44bbeaf2214a1bec44 Mon Sep 17 00:00:00 2001 From: Valentine Krasnobaeva Date: Mon, 15 Jul 2024 14:57:05 +0200 Subject: [PATCH] BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path We could run under heavy load in containers or on premises and some automatic tool in parallel could use CLI to check OCSP updates statuses or to upload new OCSP responses. So, calloc() to store OCSP update callback arguments may fail and ocsp_tree_lock need to be unlocked, when exiting due to this failure. This needs to be backported in all stable versions until v2.4.0 included. --- src/ssl_sock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index acfa15b266..08aa282735 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1195,8 +1195,10 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store EVP_PKEY *pkey; cb_arg = calloc(1, sizeof(*cb_arg)); - if (!cb_arg) + if (!cb_arg) { + HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); goto out; + } cb_arg->is_single = 1; cb_arg->s_ocsp = iocsp; -- 2.47.3