From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 7 Feb 2024 15:38:44 +0000 (+0100)
Subject: BUG/MINOR: ssl: Destroy ckch instances before the store during deinit
X-Git-Tag: v3.0-dev3~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a290db5706e76f4cdfd20067a8e73805acddeb65;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Destroy ckch instances before the store during deinit

The ckch_store's free'ing function might end up calling
'ssl_sock_free_ocsp' if the corresponding certificate had ocsp data.
This ocsp cleanup function expects for the 'refcount_instance' member of
the certificate_ocsp structure to be 0, meaning that no live
ckch instance kept a reference on this certificate_ocsp structure.
But since in ckch_store_free we were destroying the ckch_data before
destroying the linked instances, the BUG_ON would fail during a standard
deinit. Reversing the cleanup order fixes the problem.

Must be backported to 2.8.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 1eef87ae20..f32e9b8282 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -888,14 +888,14 @@ void ckch_store_free(struct ckch_store *store)
 	if (!store)
 		return;
 
-	ssl_sock_free_cert_key_and_chain_contents(store->data);
-
-	ha_free(&store->data);
-
 	list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
 		ckch_inst_free(inst);
 	}
 	ebmb_delete(&store->node);
+
+	ssl_sock_free_cert_key_and_chain_contents(store->data);
+	ha_free(&store->data);
+
 	free(store);
 }