BUG/MEDIUM: ssl: Fix a UAF when old ckch instances are released

When old chck instances is released at the end of "commit ssl ca-file" or
"commit ssl crl-file" commands, the link is released. But we walk through
the list using the unsafe macro. list_for_each_entry_safe() must be used.

This bug was introduced by commit 056ad01d5 ("BUG/MINOR: ssl: leak of
ckch_inst_link in ckch_inst_free()"). Thus this patch must be backported as
far as 2.5.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 2feb769ca653671c1c9456a8107614162eb3668e..6c8975f06ef7e01f32eabf458f910b5e54cddbdc 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2810,7 +2810,7 @@ static int cli_io_handler_commit_cafile_crlfile(struct appctx *appctx)
        int y = 0;
        struct cafile_entry *old_cafile_entry = ctx->old_entry;
        struct cafile_entry *new_cafile_entry = ctx->new_entry;
-       struct ckch_inst_link *ckchi_link;
+       struct ckch_inst_link *ckchi_link, *ckchi_link_back;
        char *path;
 
        if (unlikely(sc_ic(sc)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
@@ -2910,7 +2910,7 @@ static int cli_io_handler_commit_cafile_crlfile(struct appctx *appctx)
                                }
 
                                /* delete the old sni_ctx, the old ckch_insts and the ckch_store */
-                               list_for_each_entry(ckchi_link, &old_cafile_entry->ckch_inst_link, list) {
+                               list_for_each_entry_safe(ckchi_link, ckchi_link_back, &old_cafile_entry->ckch_inst_link, list) {
                                        __ckch_inst_free_locked(ckchi_link->ckch_inst);
                                }