From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 7 Oct 2025 08:54:58 +0000 (+0200)
Subject: BUG/MINOR: acme: avoid overflow when diff > notAfter
X-Git-Tag: v3.3-dev10~68
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=45fba1db27eea3894e75678ed11a2ca3cec8014b;p=thirdparty%2Fhaproxy.git

BUG/MINOR: acme: avoid overflow when diff > notAfter

Avoid an overflow or a negative value if notAfter < diff.

This is unlikely to provoke any problem.

Fixes issue #3138.

Must be backported to 3.2.
---

diff --git a/src/acme.c b/src/acme.c
index e302b9865..9ce93b03e 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -2425,8 +2425,10 @@ static time_t acme_schedule_date(struct ckch_store *store)
 	} else {
 		diff = 7 * 24 * 60 * 60; /* default to 7 days */
 	}
-
-	return (notAfter - diff);
+	if (notAfter > diff) /* avoid overflow */
+		return (notAfter - diff);
+	else
+		return 1; /* epoch+1 is long way expired */
 }
 
 /*