From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 16 Feb 2026 14:22:47 +0000 (+0100)
Subject: BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser
X-Git-Tag: v3.4-dev5~70
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=86df0e206e94ebfc2a87bf60ec74e86cc0235ffa;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser

In post_section_frontend_crt_init(), the crt_entry is populated by the
ssl_conf fromt the cfg_crt_node. On error path, the crt_list is
completely freed, including the ssl_conf structure. But the ssl_conf
structure was already freed when freeing the cfg_crt_node.

Fix the issue by doing a crtlist_dup_ssl_conf(n->ssl_conf) in the
crtlist_entry instead of an assignation.

Fix issue #3268.

Need to be backported as far as 3.2. The previous patch which adds the
crtlist_dup_ssl_conf() declaration is needed.
---

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 660f88b42..a81f3efe1 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -2558,7 +2558,7 @@ static int post_section_frontend_crt_init()
 		}
 
 		/* must set the ssl_conf in case of duplication of the crtlist_entry */
-		entry->ssl_conf = n->ssl_conf;
+		entry->ssl_conf = crtlist_dup_ssl_conf(n->ssl_conf);
 
 		err_code |= crtlist_load_crt(n->ckch_conf->crt, n->ckch_conf, newlist, entry, n->filename, n->linenum, &err);
 		if (err_code & ERR_CODE)