Do not leak X509s found by SslBump in Server Hellos since r14769.

ParseCertificate() overlocked X509 structures returned by d2i_X509().

Also made ParseCertificate() exception-safe.

diff --git a/src/security/Handshake.cc b/src/security/Handshake.cc
index a546faec06439e5ba9e75f99ebe600bc900dcfff..de6454d18cab23032c511afcb3f200e4d6120e1c 100644 (file)
--- a/src/security/Handshake.cc
+++ b/src/security/Handshake.cc
@@ -542,9 +542,9 @@ Security::HandshakeParser::ParseCertificate(const SBuf &raw, Security::CertPoint
     auto x509Start = reinterpret_cast<const unsigned char *>(raw.rawContent());
     auto x509Pos = x509Start;
     X509 *x509 = d2i_X509(nullptr, &x509Pos, raw.length());
+    pCert.resetWithoutLocking(x509);
     Must(x509); // successfully parsed
     Must(x509Pos == x509Start + raw.length()); // no leftovers
-    pCert.resetAndLock(x509);
 #endif
 }