From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 31 May 2022 16:06:30 +0000 (+0200)
Subject: BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
X-Git-Tag: v2.7-dev1~128
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f08fa46fb5c2ec02f740b716a9674dc72a5cadc;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified

When a CA or a CRL entry is being modified, we must take care to no delete
it because the corresponding ongoing transaction still references it. If we
do so, it leads to a null-deref and a crash may be exeperienced if changes
are commited.

This patch must be backported as far as 2.5.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 0ed81d6d45..ad84eeacc1 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -3252,6 +3252,11 @@ static int cli_parse_del_cafile(char **args, char *payload, struct appctx *appct
 
 	filename = args[3];
 
+	if (cafile_transaction.path && strcmp(cafile_transaction.path, filename) == 0) {
+		memprintf(&err, "ongoing transaction for the CA file '%s'", filename);
+		goto error;
+	}
+
 	cafile_entry = ssl_store_get_cafile_entry(filename, 0);
 	if (!cafile_entry) {
 		memprintf(&err, "CA file '%s' doesn't exist!\n", filename);
@@ -3524,6 +3529,11 @@ static int cli_parse_del_crlfile(char **args, char *payload, struct appctx *appc
 
 	filename = args[3];
 
+	if (crlfile_transaction.path && strcmp(crlfile_transaction.path, filename) == 0) {
+		memprintf(&err, "ongoing transaction for the CRL file '%s'", filename);
+		goto error;
+	}
+
 	cafile_entry = ssl_store_get_cafile_entry(filename, 0);
 	if (!cafile_entry) {
 		memprintf(&err, "CRL file '%s' doesn't exist!\n", filename);