Avoid potential pfree on NULL on OpenSSL errors

Guard against the pointer being NULL before pfreeing upon an error
returned from OpenSSL.  Also handle errors from X509_NAME_print_ex
which can return -1 on memory allocation errors.

Backpatch down to v15 where the code was added.

Author: Sergey Shinderuk <s.shinderuk@postgrespro.ru>
Discussion: https://postgr.es/m/8db5374d-32e0-6abb-d402-40762511eff2@postgrespro.ru
Backpatch-through: v15

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 658b09988d6c9eaca5b5a5201d4a3f3563f72409..31b6a6eacdf0d330c3517de1900a0d6483ffd729 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -620,8 +620,11 @@ aloop:
                bio = BIO_new(BIO_s_mem());
                if (!bio)
                {
-                       pfree(port->peer_cn);
-                       port->peer_cn = NULL;
+                       if (port->peer_cn != NULL)
+                       {
+                               pfree(port->peer_cn);
+                               port->peer_cn = NULL;
+                       }
                        return -1;
                }
 
@@ -632,12 +635,15 @@ aloop:
                 * which make regular expression matching a bit easier. Also note that
                 * it prints the Subject fields in reverse order.
                 */
-               X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253);
-               if (BIO_get_mem_ptr(bio, &bio_buf) <= 0)
+               if (X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253) == -1 ||
+                       BIO_get_mem_ptr(bio, &bio_buf) <= 0)
                {
                        BIO_free(bio);
-                       pfree(port->peer_cn);
-                       port->peer_cn = NULL;
+                       if (port->peer_cn != NULL)
+                       {
+                               pfree(port->peer_cn);
+                               port->peer_cn = NULL;
+                       }
                        return -1;
                }
                peer_dn = MemoryContextAlloc(TopMemoryContext, bio_buf->length + 1);
@@ -651,8 +657,11 @@ aloop:
                                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                                         errmsg("SSL certificate's distinguished name contains embedded null")));
                        pfree(peer_dn);
-                       pfree(port->peer_cn);
-                       port->peer_cn = NULL;
+                       if (port->peer_cn != NULL)
+                       {
+                               pfree(port->peer_cn);
+                               port->peer_cn = NULL;
+                       }
                        return -1;
                }