From: William Lallemand Date: Fri, 4 Oct 2019 16:38:51 +0000 (+0200) Subject: MINOR: ssl: ssl_sock_load_multi_ckchs() can properly fail X-Git-Tag: v2.1-dev3~91 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c6d12fb66f9be3209116f7b116ae6c4bf3d3a5f;p=thirdparty%2Fhaproxy.git MINOR: ssl: ssl_sock_load_multi_ckchs() can properly fail ssl_sock_load_multi_ckchs() is now able to fail without polluting the bind_conf trees and leaking memory. It is a prerequisite to load certificate on-the-fly with the CLI. The insertion of the sni_ctxs in the trees are done once everything has been allocated correctly. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index e7a7672225..05f64a5c42 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3379,7 +3379,6 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs, /* Key combo contains ckch[n] */ snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]); if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) { - SSL_CTX_free(cur_ctx); rv = 1; goto end; } @@ -3391,7 +3390,6 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs, if (err) memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n", *err ? *err : "", cur_file); - SSL_CTX_free(cur_ctx); rv = 1; goto end; } @@ -3443,6 +3441,24 @@ end: node = next; } + if (rv > 0) { + struct sni_ctx *sc0, *sc0b; + + /* free the SSL_CTX in case of error */ + for (i = 0; i < SSL_SOCK_POSSIBLE_KT_COMBOS; i++) { + if (key_combos[i].ctx) + SSL_CTX_free(key_combos[i].ctx); + } + + /* free the sni_ctx in case of error */ + list_for_each_entry_safe(sc0, sc0b, &ckch_inst->sni_ctx, by_ckch_inst) { + + ebmb_delete(&sc0->name); + LIST_DEL(&sc0->by_ckch_inst); + free(sc0); + } + } + return rv; } #else