BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified

When a certificate entry is being modified, we must take care to no delete
it because the corresponding ongoing transaction still references it. If we
do so, it leads to a null-deref and a crash may be exeperienced if changes
are commited.

This patch must be backported as far as 2.2.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index def02657ae9382a0e3b6bc3e15ec015ead83f913..0ed81d6d45e1c9b63e85a056952ae61d2055cdb4 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2502,6 +2502,11 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx,
 
        filename = args[3];
 
+       if (ckchs_transaction.path && strcmp(ckchs_transaction.path, filename) == 0) {
+               memprintf(&err, "ongoing transaction for the certificate '%s'", filename);
+               goto error;
+       }
+
        store = ckchs_lookup(filename);
        if (store == NULL) {
                memprintf(&err, "certificate '%s' doesn't exist!\n", filename);