acme/autocert: always pass AuthzURLs from AuthorizeOrder to deactivat…

…ePendingAuthz Previously, the o.AuthzURLs slice was sometimes used from the call to client.WaitOrder at the bottom of the for loop. By that point, o may be nil if client.WaitOrder returned an error, which would cause a nil pointer dereference panic inside the deferred function call. If client.WaitOrder did not return an error, then the call to deactivatePendingAuthz would use its AuthzURLs slice instead of the one from client.AuthorizeOrder. Fixes golang/go#35225 Updates golang/go#21081 Change-Id: I7db055ee1149871b6e5d34a8618526899c68f827 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/203919 Reviewed-by: Alex Vaghin <[email protected]>
LewiGoddard · Oct 29, 2019 · f5cf380 · f5cf380
1 parent 8973dc3
commit f5cf380
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
@@ -770,9 +770,9 @@ AuthorizeOrderLoop:
 		}
 		// Remove all hanging authorizations to reduce rate limit quotas
 		// after we're done.
-		defer func() {
-			go m.deactivatePendingAuthz(o.AuthzURLs)
-		}()
+		defer func(urls []string) {
+			go m.deactivatePendingAuthz(urls)
+		}(o.AuthzURLs)
 
 		// Check if there's actually anything we need to do.
 		switch o.Status {