From: Yann Ylavic Date: Mon, 23 Mar 2020 17:54:33 +0000 (+0000) Subject: Merge r1874577 from trunk: X-Git-Tag: 2.4.43~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c5e8b08a0a34c1e63be2d3769e9f37b69b633f0;p=thirdparty%2Fapache%2Fhttpd.git Merge r1874577 from trunk: mod_ssl: Fix memory leak of OCSP stapling response. The OCSP_RESPONSE is either ignored or serialized (i2d_OCSP_RESPONSE) in the TLS response/handshake extension, so it must be freed. Submitted by: ylavic Reviewed by: gbechis, rpluem, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1875552 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 51e85d42e16..0a351d1a9de 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.43 + *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic] + Changes with Apache 2.4.42 *) mod_proxy_http: Fix the forwarding of requests with content body when a diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index b4f34179433..5b3db6bc4c0 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -872,15 +872,21 @@ static int stapling_cb(SSL *ssl, void *arg) if (rsp && ((ok == TRUE) || (mctx->stapling_return_errors == TRUE))) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01956) "stapling_cb: setting response"); - if (!stapling_set_response(ssl, rsp)) - return SSL_TLSEXT_ERR_ALERT_FATAL; - return SSL_TLSEXT_ERR_OK; + if (!stapling_set_response(ssl, rsp)) { + rv = SSL_TLSEXT_ERR_ALERT_FATAL; + } + else { + rv = SSL_TLSEXT_ERR_OK; + } } - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957) - "stapling_cb: no suitable response available"); - - return SSL_TLSEXT_ERR_NOACK; + else { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01957) + "stapling_cb: no suitable response available"); + rv = SSL_TLSEXT_ERR_NOACK; + } + OCSP_RESPONSE_free(rsp); /* NULL safe */ + return rv; } apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,