]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
projects / thirdparty / apache / httpd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 53135f5)
Merge r1874577 from trunk:
authorYann Ylavic <ylavic@apache.org>
Mon, 23 Mar 2020 17:54:33 +0000 (17:54 +0000)
committerYann Ylavic <ylavic@apache.org>
Mon, 23 Mar 2020 17:54:33 +0000 (17:54 +0000)
mod_ssl: Fix memory leak of OCSP stapling response.

The OCSP_RESPONSE is either ignored or serialized (i2d_OCSP_RESPONSE) in the
TLS response/handshake extension, so it must be freed.

Submitted by: ylavic
Reviewed by: gbechis, rpluem, ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1875552 13f79535-47bb-0310-9956-ffa450edef68

CHANGES patch | blob | blame | history
modules/ssl/ssl_util_stapling.c patch | blob | blame | history

diff --git a/CHANGES b/CHANGES
index 51e85d42e164e06623661420d131a3a8d5dbc028..0a351d1a9de62c63e839a0306520593784b07788 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.43
 
+  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
+
 Changes with Apache 2.4.42
 
   *) mod_proxy_http: Fix the forwarding of requests with content body when a
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index b4f3417943301ccf8056abebd3a73142a7344656..5b3db6bc4c0d56573c038b37b765e89003131457 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -872,15 +872,21 @@ static int stapling_cb(SSL *ssl, void *arg)
     if (rsp && ((ok == TRUE) || (mctx->stapling_return_errors == TRUE))) {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01956)
                      "stapling_cb: setting response");
-        if (!stapling_set_response(ssl, rsp))
-            return SSL_TLSEXT_ERR_ALERT_FATAL;
-        return SSL_TLSEXT_ERR_OK;
+        if (!stapling_set_response(ssl, rsp)) {
+            rv = SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+        else {
+            rv = SSL_TLSEXT_ERR_OK;
+        }
     }
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957)
-                 "stapling_cb: no suitable response available");
-
-    return SSL_TLSEXT_ERR_NOACK;
+    else {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957)
+                     "stapling_cb: no suitable response available");
+        rv = SSL_TLSEXT_ERR_NOACK;
+    }
+    OCSP_RESPONSE_free(rsp); /* NULL safe */
 
+    return rv;
 }
 
 apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,
Mirror of https://github.com/apache/httpd.git