mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: memory leak when find_chain is NULL

Browse Source 
This bug was introduced by 85888573 "BUG/MEDIUM: ssl: chain must be
initialized with sk_X509_new_null()". No need to set find_chain with
sk_X509_new_null(), use find_chain conditionally to fix issue #516.

This bug was referenced by issue #559.

[wla: fix some alignment/indentation issue]
This commit is contained in:
Emmanuel Hocdet 2020-03-23 10:31:47 +01:00 committed by William Lallemand
parent 3328f18596
commit f4f14eacd3
1 changed files with 21 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/ssl_sock.c
View File

@ -3634,33 +3634,30 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
find_chain = issuer->chain; find_chain = issuer->chain;
} }
/* If we didn't find a chain we *MUST* use an empty X509 structure */
if (find_chain == NULL)
find_chain = sk_X509_new_null();
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
if (find_chain)
#ifdef SSL_CTX_set1_chain #ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, find_chain)) { if (!SSL_CTX_set1_chain(ctx, find_chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
#else #else
{ /* legacy compat (< openssl 1.0.2) */ { /* legacy compat (< openssl 1.0.2) */
X509 *ca; X509 *ca;
STACK_OF(X509) *chain; STACK_OF(X509) *chain;
chain = X509_chain_up_ref(find_chain); chain = X509_chain_up_ref(find_chain);
while ((ca = sk_X509_shift(chain))) while ((ca = sk_X509_shift(chain)))
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) { if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n", memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
X509_free(ca); X509_free(ca);
sk_X509_pop_free(chain, X509_free); sk_X509_pop_free(chain, X509_free);
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
} }
#endif #endif
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH