Avoid crashes when processing bad X509 common names (CN).

X509_REQ_get_pubkey() returns a refcounted object that we must clean after use.
X509_REQ_get_subject_name() does not; cleaning the result may cause segfaults.
How we are supposed to tell the difference is beyond me.

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 35ddf90148ec6d163f9a1851ef1abbd35c7396e4..c1263e78b01cef24bef8f2788fb012c29dddfa65 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -14,16 +14,18 @@
  */
 static bool addCnToRequest(Ssl::X509_REQ_Pointer & request, char const * cn)
 {
-    Ssl::X509_NAME_Pointer name(X509_REQ_get_subject_name(request.get()));
+    // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
+    // returns a pointer to the existing subject name. Nothing to clean here.
+    X509_NAME *name = X509_REQ_get_subject_name(request.get());
     if (!name)
         return false;
 
     // The second argument of the X509_NAME_add_entry_by_txt declared as
     // "char *" on some OS. Use cn_name to avoid compile warnings.
     static char cn_name[3] = "CN";
-    if (!X509_NAME_add_entry_by_txt(name.get(), cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
+    if (!X509_NAME_add_entry_by_txt(name, cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
         return false;
-    name.release();
+
     return true;
 }