From: Tim Duesterhus <tim@bastelstu.be>
Date: Thu, 19 Mar 2020 15:12:09 +0000 (+0100)
Subject: BUG/MINOR: ssl: Do not free garbage pointers on memory allocation failure
X-Git-Tag: v2.2-dev5~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c12025a7dacecfb6fe5c13bc899c6ffa2727ca1;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Do not free garbage pointers on memory allocation failure

In `ckch_inst_sni_ctx_to_sni_filters` use `calloc()` to allocate the filter
array. When the function fails to allocate memory for a single entry the
whole array will be `free()`d using free_sni_filters(). With the previous
`malloc()` the pointers for entries after the failing allocation could
possibly be a garbage value.

This bug was introduced in commit 38df1c8006a2adf97f4ad5a183f80cfdcba3da8a,
which is 2.2+. No backport needed.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a92f9c9131..3ff8172770 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3939,7 +3939,7 @@ static int ckch_inst_sni_ctx_to_sni_filters(const struct ckch_inst *ckchi, char
 	if (!tmp_fcount)
 		goto end;
 
-	tmp_filter = malloc(sizeof(*tmp_filter) * tmp_fcount);
+	tmp_filter = calloc(tmp_fcount, sizeof(*tmp_filter));
 	if (!tmp_filter) {
 		errcode |= ERR_FATAL|ERR_ALERT;
 		goto error;