From fe49bb3d0c046628d67d57da15a7034cc2230432 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 3 Oct 2019 23:46:33 +0200
Subject: [PATCH] BUG/MINOR: ssl: abort on sni allocation failure

The ssl_sock_add_cert_sni() function never return an error when a
sni_ctx allocation fail. It silently ignores the problem and continues
to try to allocate other snis.

It is unlikely that a sni allocation will succeed after one failure and
start a configuration without all the snis. But to avoid any problem we
return a -1 upon an sni allocation error and stop the configuration
parsing.

This patch must be backported in every version supporting the crt-list
sni filters. (as far as 1.5)
---
 src/ssl_sock.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2256385c8..b9ca66246 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2764,7 +2764,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_b
 		for (j = 0; j < len && j < trash.size; j++)
 			trash.area[j] = tolower(name[j]);
 		if (j >= trash.size)
-			return order;
+			return -1;
 		trash.area[j] = 0;
 
 		/* Check for duplicates. */
@@ -2780,7 +2780,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_b
 
 		sc = malloc(sizeof(struct sni_ctx) + len + 1);
 		if (!sc)
-			return order;
+			return -1;
 		memcpy(sc->name.key, trash.area, len + 1);
 		sc->ctx = ctx;
 		sc->conf = conf;
@@ -3331,7 +3331,12 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
 
 		/* Update SNI Tree */
 		key_combos[i-1].order = ssl_sock_add_cert_sni(cur_ctx, bind_conf, ssl_conf,
-							      kinfo, str, key_combos[i-1].order);
+		                                              kinfo, str, key_combos[i-1].order);
+		if (key_combos[i-1].order < 0) {
+			memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
+			rv = 1;
+			goto end;
+		}
 		node = ebmb_next(node);
 	}
 
@@ -3424,8 +3429,13 @@ static int ssl_sock_load_ckchs(const char *path, struct ckch_store *ckchs, struc
 	}
 
 	if (fcount) {
-		while (fcount--)
+		while (fcount--) {
 			order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, sni_filter[fcount], order);
+			if (order < 0) {
+				memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
+				return 1;
+			}
+		}
 	}
 	else {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
@@ -3437,6 +3447,10 @@ static int ssl_sock_load_ckchs(const char *path, struct ckch_store *ckchs, struc
 					if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
 						order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order);
 						OPENSSL_free(str);
+						if (order < 0) {
+							memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
+							return 1;
+						}
 					}
 				}
 			}
@@ -3453,6 +3467,10 @@ static int ssl_sock_load_ckchs(const char *path, struct ckch_store *ckchs, struc
 			if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
 				order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order);
 				OPENSSL_free(str);
+				if (order < 0) {
+					memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
+					return 1;
+				}
 			}
 		}
 	}