From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Mon, 21 Nov 2011 16:49:34 +0000 (-0700)
Subject: Avoid crashes when processing bad X509 common names (CN).
X-Git-Tag: BumpSslServerFirst.take01~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6894a6f38fdc972e350866e1edcc62775f3c998d;p=thirdparty%2Fsquid.git

Avoid crashes when processing bad X509 common names (CN).

X509_REQ_get_pubkey() returns a refcounted object that we must clean after use.
X509_REQ_get_subject_name() does not; cleaning the result may cause segfaults.
How we are supposed to tell the difference is beyond me.
---

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 35ddf90148..c1263e78b0 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -14,16 +14,18 @@
  */
 static bool addCnToRequest(Ssl::X509_REQ_Pointer & request, char const * cn)
 {
-    Ssl::X509_NAME_Pointer name(X509_REQ_get_subject_name(request.get()));
+    // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
+    // returns a pointer to the existing subject name. Nothing to clean here.
+    X509_NAME *name = X509_REQ_get_subject_name(request.get());
     if (!name)
         return false;
 
     // The second argument of the X509_NAME_add_entry_by_txt declared as
     // "char *" on some OS. Use cn_name to avoid compile warnings.
     static char cn_name[3] = "CN";
-    if (!X509_NAME_add_entry_by_txt(name.get(), cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
+    if (!X509_NAME_add_entry_by_txt(name, cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
         return false;
-    name.release();
+
     return true;
 }