From a096260cfe3f87be440031af72ae56412cc468c5 Mon Sep 17 00:00:00 2001
From: Sasank <sasankponduru29@gmail.com>
Date: Tue, 2 Jun 2026 23:19:27 +0530
Subject: [PATCH] Fix data race in SSLCertContext copy & assignment

Resolve concurrent read/write data races by using std::scoped_lock in operator= and locking other.ctx_mutex at the start of the copy constructor.
---
 src/iocore/net/SSLCertLookup.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/iocore/net/SSLCertLookup.cc b/src/iocore/net/SSLCertLookup.cc
index fc715fc5f90..1f202a45c00 100644
--- a/src/iocore/net/SSLCertLookup.cc
+++ b/src/iocore/net/SSLCertLookup.cc
@@ -233,24 +233,24 @@ ssl_create_ticket_keyblock(const char *ticket_key_path)
 
 SSLCertContext::SSLCertContext(SSLCertContext const &other)
 {
+  std::lock_guard<std::mutex> lock(other.ctx_mutex);
   opt        = other.opt;
   userconfig = other.userconfig;
   keyblock   = other.keyblock;
   ctx_type   = other.ctx_type;
-  std::lock_guard<std::mutex> lock(other.ctx_mutex);
-  ctx = other.ctx;
+  ctx        = other.ctx;
 }
 
 SSLCertContext &
 SSLCertContext::operator=(SSLCertContext const &other)
 {
   if (&other != this) {
+    std::scoped_lock lock(this->ctx_mutex, other.ctx_mutex);
     this->opt        = other.opt;
     this->userconfig = other.userconfig;
     this->keyblock   = other.keyblock;
     this->ctx_type   = other.ctx_type;
-    std::lock_guard<std::mutex> lock(other.ctx_mutex);
-    this->ctx = other.ctx;
+    this->ctx        = other.ctx;
   }
   return *this;
 }