BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print

The b_istput function called to append the last data block to the end of
an OCSP response's detailed output was not checked in
ssl_ocsp_response_print. The ssl_ocsp_response_print return value checks
were added as well since some of them were missing.
This error was raised by Coverity (CID 1469513).

This patch fixes GitHub issue #1541.
It can be backported to 2.5.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 443c12cacfaca7e80b3cedf696bfaa50f72fede3..24e31309436f39d3ba0dd81f402709ba26f15b6c 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1619,7 +1619,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
         * Otherwise, we must rebuild the certificate's certid in order to
         * look for the current OCSP response in the tree. */
        if (from_transaction && ckchs->ckch->ocsp_response) {
-               ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out);
+               if (ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out))
+                       goto end_no_putchk;
        }
        else {
                unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
@@ -1628,7 +1629,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
                if (ckch_store_build_certid(ckchs, (unsigned char*)key, &key_length) < 0)
                        goto end_no_putchk;
 
-               ssl_get_ocspresponse_detail(key, out);
+               if (ssl_get_ocspresponse_detail(key, out))
+                       goto end_no_putchk;
        }
 
        if (ci_putchk(si_ic(si), out) == -1) {

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 758b029d8c1ea69872d6dcd42df495659ba7457c..d0acc80dd24ab5b7bbcc303a14d966ab52e91a54 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7567,6 +7567,7 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
        int write = -1;
        OCSP_RESPONSE *resp;
        const unsigned char *p;
+       int retval = -1;
 
        if (!ocsp_response)
                return -1;
@@ -7619,13 +7620,13 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
                        ist_double_lf = istist(ist_block, double_lf);
                }
 
-               b_istput(out, ist_block);
+               retval = (b_istput(out, ist_block) <= 0);
        }
 
        if (bio)
                BIO_free(bio);
 
-       return 0;
+       return retval;
 }
 
 /*
@@ -7656,7 +7657,10 @@ static int cli_io_handler_show_ocspresponse_detail(struct appctx *appctx)
        if (trash == NULL)
                return 1;
 
-       ssl_ocsp_response_print(&ocsp->response, trash);
+       if (ssl_ocsp_response_print(&ocsp->response, trash)) {
+               free_trash_chunk(trash);
+               return 1;
+       }
 
        if (ci_putchk(si_ic(si), trash) == -1) {
                si_rx_room_blk(si);