From 01306f4e82dd61fea5fc9c275cd198d24b1cea7e Mon Sep 17 00:00:00 2001
From: SAY-5 <say.apm35@gmail.com>
Date: Wed, 22 Apr 2026 21:25:00 -0700
Subject: [PATCH] gnmi_server: fix nil-resp panic when CRL fetch fails

http.Get() returns (nil, err) on network-level failures (DNS,
connection refused, TLS handshake, timeout before any response).
TryDownload() saved the defer inside `if resp != nil` but then
unconditionally dereferenced `resp.StatusCode` in the next line, so
any non-transport failure panicked the gNMI server with a nil pointer
dereference.

Return early on err != nil, then defer close and check StatusCode.
Behavior otherwise unchanged.

Closes sonic-net/sonic-gnmi#630.

Signed-off-by: SAY-5 <say.apm35@gmail.com>
---
 gnmi_server/clientCertAuth.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/gnmi_server/clientCertAuth.go b/gnmi_server/clientCertAuth.go
index 381a915e1..cfab803ca 100644
--- a/gnmi_server/clientCertAuth.go
+++ b/gnmi_server/clientCertAuth.go
@@ -159,13 +159,14 @@ func ClientCertAuthenAndAuthor(ctx context.Context, serviceConfigTableName strin
 func TryDownload(url string) bool {
 	glog.Infof("Download CRL start: %s", url)
 	resp, err := http.Get(url)
-
-	if resp != nil {
-		defer resp.Body.Close()
+	if err != nil {
+		glog.Infof("Download CRL: %s failed: %v", url, err)
+		return false
 	}
+	defer resp.Body.Close()
 
-	if err != nil || resp.StatusCode != http.StatusOK {
-		glog.Infof("Download CRL: %s failed: %v", url, err)
+	if resp.StatusCode != http.StatusOK {
+		glog.Infof("Download CRL: %s failed: HTTP %d", url, resp.StatusCode)
 		return false
 	}