Fix memory leak in libpq when using sslmode=verify-full

Checking if Subject Alternative Names (SANs) from a certificate match
with the hostname connected to leaked memory after each lookup done.

This is broken since acd08d7 that added support for SANs in SSL
certificates, so backpatch down to 9.5.

Author: Roman Peshkurov
Reviewed-by: Hamid Akhtar, Michael Paquier, David Steele
Discussion: https://postgr.es/m/CALLDf-pZ-E3mjxd5=bnHsDu9zHEOnpgPgdnO84E2RuwMCjjyPw@mail.gmail.com
Backpatch-through: 9.5

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 0f98ef6590ec780e3e2b19f308a881cfb715b028..20ebc6b69090a4ff72529bbbea30ea0ec33e901c 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -620,7 +620,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
                        if (found_match || got_error)
                                break;
                }
-               sk_GENERAL_NAME_free(peer_san);
+               sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
        }
 
        /*