BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path

We could run under heavy load in containers or on premises and some automatic
tool in parallel could use CLI to check OCSP updates statuses or to upload new
OCSP responses. So, calloc() to store OCSP update callback arguments may fail
and ocsp_tree_lock need to be unlocked, when exiting due to this failure.

This needs to be backported in all stable versions until v2.4.0 included.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index acfa15b266a12f069e2a238e2488d6e36bc8d730..08aa282735d2204bca28cd7534c7d5da5a8491fc 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1195,8 +1195,10 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
                EVP_PKEY *pkey;
 
                cb_arg = calloc(1, sizeof(*cb_arg));
-               if (!cb_arg)
+               if (!cb_arg) {
+                       HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
                        goto out;
+               }
 
                cb_arg->is_single = 1;
                cb_arg->s_ocsp = iocsp;