From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed, 5 Oct 2016 04:10:26 +0000 (-0600)
Subject: Do not leak X509s found by SslBump in Server Hellos since r14769.
X-Git-Tag: SQUID_4_0_15~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=561699b3b382993edb99560b441cbb2b101959fc;p=thirdparty%2Fsquid.git

Do not leak X509s found by SslBump in Server Hellos since r14769.

ParseCertificate() overlocked X509 structures returned by d2i_X509().

Also made ParseCertificate() exception-safe.
---

diff --git a/src/security/Handshake.cc b/src/security/Handshake.cc
index a546faec06..de6454d18c 100644
--- a/src/security/Handshake.cc
+++ b/src/security/Handshake.cc
@@ -542,9 +542,9 @@ Security::HandshakeParser::ParseCertificate(const SBuf &raw, Security::CertPoint
     auto x509Start = reinterpret_cast<const unsigned char *>(raw.rawContent());
     auto x509Pos = x509Start;
     X509 *x509 = d2i_X509(nullptr, &x509Pos, raw.length());
+    pCert.resetWithoutLocking(x509);
     Must(x509); // successfully parsed
     Must(x509Pos == x509Start + raw.length()); // no leftovers
-    pCert.resetAndLock(x509);
 #endif
 }