From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 7 Feb 2024 15:38:42 +0000 (+0100)
Subject: BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line
X-Git-Tag: v3.0-dev3~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23cab33b67dd9dc76de936f47dfa23b1a8ee40e5;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line

When deleting a crt-list line through a "del ssl crt-list" call on the
CLI, we ended up free'ing the corresponding ckch instances without fully
clearing their contents. It left some dangling references on other
objects because the attache SSL_CTX was not deleted, as well as all the
ex_data referenced by it (OCSP responses for instance).

This patch can be backported up to branch 2.4.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 25c859bb1b..bebaccae04 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -1530,7 +1530,7 @@ static int cli_parse_del_crtlist(char **args, char *payload, struct appctx *appc
 			LIST_DELETE(&link_ref->list);
 			free(link_ref);
 		}
-		free(inst);
+		ckch_inst_free(inst);
 	}
 
 	crtlist_free_filters(entry->filters);