fdaa55a918
- Major version jump from v2.0 to v2.1 - Update haproxy download URL and hash - Add new patches (see https://www.haproxy.org/bugs/bugs-2.1.2.html) - Stop building LUA 5.3 in the haproxy build-process and use liblua5.3 as a dependency instead Signed-off-by: Christian Lachner <gladiac@gmail.com>
28 lines
1.1 KiB
Diff
28 lines
1.1 KiB
Diff
commit 0ebb1d424da107ad4010b261f63e16e857465fc0
|
|
Author: William Lallemand <wlallemand@haproxy.org>
|
|
Date: Thu Jan 23 11:42:52 2020 +0100
|
|
|
|
BUG/MINOR: ssl: increment issuer refcount if in chain
|
|
|
|
When using the OCSP response, if the issuer of the response is in
|
|
the certificate chain, its address will be stored in ckch->ocsp_issuer.
|
|
However, since the ocsp_issuer could be filled by a separate file, this
|
|
pointer is free'd. The refcount of the X509 need to be incremented to
|
|
avoid a double free if we free the ocsp_issuer AND the chain.
|
|
|
|
(cherry picked from commit b829dda57b4c8a44eff53682ed56492ad46ce3ad)
|
|
[wt: checked with William, needed for 2.1]
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index e320d908f..180637e6b 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -3307,6 +3307,7 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c
|
|
issuer = sk_X509_value(ckch->chain, i);
|
|
if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) {
|
|
ckch->ocsp_issuer = issuer;
|
|
+ X509_up_ref(ckch->ocsp_issuer);
|
|
break;
|
|
} else
|
|
issuer = NULL;
|