acme/autocert: always pass AuthzURLs from AuthorizeOrder to deactivatePendingAuthz Previously, the o.AuthzURLs slice was sometimes used from the call to client.WaitOrder at the bottom of the for loop. By that point, o may be nil if client.WaitOrder returned an error, which would cause a nil pointer dereference panic inside the deferred function call. If client.WaitOrder did not return an error, then the call to deactivatePendingAuthz would use its AuthzURLs slice instead of the one from client.AuthorizeOrder. Fixes golang/go#35225 Updates golang/go#21081 Change-Id: I7db055ee1149871b6e5d34a8618526899c68f827 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/203919 Reviewed-by: Alex Vaghin <ddos@google.com>

commit: 8986dd9e96cf0a6f74da406c005ba3df38527c04 [log] [tgz]
author: Dmitri Shuralyov <dmitshur@golang.org> Mon Oct 28 12:10:41 2019 -0400
committer: Dmitri Shuralyov <dmitshur@golang.org> Tue Oct 29 03:18:24 2019 +0000
tree: c54ea57e9eaa45e89efeb9f56b89631773e9a83a
parent: f83a4685e1528a5ebee78469d2a3262e2d505b0b [diff]
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index acae1c3..2ea9e23 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go

@@ -770,9 +770,9 @@
 		}
 		// Remove all hanging authorizations to reduce rate limit quotas
 		// after we're done.
-		defer func() {
-			go m.deactivatePendingAuthz(o.AuthzURLs)
-		}()
+		defer func(urls []string) {
+			go m.deactivatePendingAuthz(urls)
+		}(o.AuthzURLs)
 
 		// Check if there's actually anything we need to do.
 		switch o.Status {
commit	8986dd9e96cf0a6f74da406c005ba3df38527c04	[log] [tgz]
author	Dmitri Shuralyov <dmitshur@golang.org>	Mon Oct 28 12:10:41 2019 -0400
committer	Dmitri Shuralyov <dmitshur@golang.org>	Tue Oct 29 03:18:24 2019 +0000
tree	c54ea57e9eaa45e89efeb9f56b89631773e9a83a
parent	f83a4685e1528a5ebee78469d2a3262e2d505b0b [diff]