From: Willy Tarreau <w@1wt.eu>
Date: Fri, 15 May 2026 06:09:26 +0000 (+0000)
Subject: BUG/MEDIUM: server/cli: unlock server lock on failure in cli_parse_set_server
X-Git-Tag: v3.4-dev13~69
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8aa99dfc745ffd4323f311e70e990753a9f9f364;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: server/cli: unlock server lock on failure in cli_parse_set_server

In cli_parse_set_server()'s 'ssl' branch, the server lock is taken,
and not released in case srv_set_ssl() fails, resulting in a dead lock
and a panic the next time an attempt to touch this server is made. The
lock must be released on all error paths.

This was introduced in 3.3 by commit f8f94ffc9 ("BUG/MEDIUM: server:
Use sni as pool connection name for SSL server only") which was marked
for backporting to 3.0, so this must likely be backported that far.
---

diff --git a/src/server.c b/src/server.c
index df87e7476..fce4ab71e 100644
--- a/src/server.c
+++ b/src/server.c
@@ -5711,11 +5711,13 @@ static int cli_parse_set_server(char **args, char *payload, struct appctx *appct
 		HA_SPIN_LOCK(SERVER_LOCK, &sv->lock);
 		if (strcmp(args[4], "on") == 0) {
 			if (srv_set_ssl(sv, 1)) {
+				HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock);
 				cli_dynerr(appctx, memprintf(&err, "failed to enable ssl for server %s.\n", args[2]));
 				goto out;
 			}
 		} else if (strcmp(args[4], "off") == 0) {
 			if (srv_set_ssl(sv, 0)) {
+				HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock);
 				cli_dynerr(appctx, memprintf(&err, "failed to disable ssl for server %s.\n", args[2]));
 				goto out;
 			}