From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Mon, 15 Jul 2024 12:57:05 +0000 (+0200)
Subject: BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path
X-Git-Tag: v3.1-dev4~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9371c28c28311f34d03c6e44bbeaf2214a1bec44;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path

We could run under heavy load in containers or on premises and some automatic
tool in parallel could use CLI to check OCSP updates statuses or to upload new
OCSP responses. So, calloc() to store OCSP update callback arguments may fail
and ocsp_tree_lock need to be unlocked, when exiting due to this failure.

This needs to be backported in all stable versions until v2.4.0 included.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index acfa15b266..08aa282735 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1195,8 +1195,10 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
 		EVP_PKEY *pkey;
 
 		cb_arg = calloc(1, sizeof(*cb_arg));
-		if (!cb_arg)
+		if (!cb_arg) {
+			HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 			goto out;
+		}
 
 		cb_arg->is_single = 1;
 		cb_arg->s_ocsp = iocsp;