From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 31 Oct 2019 10:43:45 +0000 (+0100)
Subject: BUG/MINOR: ssl/cli: check trash allocation in cli_io_handler_commit_cert()
X-Git-Tag: v2.1-dev4~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33cc76f918e4a7a76360e88f6ed50f924befeef9;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/cli: check trash allocation in cli_io_handler_commit_cert()

Possible NULL pointer dereference found by coverity.

Fix #350 #340.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0e4244dc99..772310b78e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10016,6 +10016,9 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 	struct ckch_inst *ckchi, *ckchis;
 	struct buffer *trash = alloc_trash_chunk();
 
+	if (trash == NULL)
+		goto error;
+
 	if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
 		goto error;
 
@@ -10142,10 +10145,12 @@ yield:
 
 error:
 	/* spin unlock and free are done in the release  function */
-	chunk_appendf(trash, "\n%sFailed!\n", err);
-	if (ci_putchk(si_ic(si), trash) == -1)
-		si_rx_room_blk(si);
-	free_trash_chunk(trash);
+	if (trash) {
+		chunk_appendf(trash, "\n%sFailed!\n", err);
+		if (ci_putchk(si_ic(si), trash) == -1)
+			si_rx_room_blk(si);
+		free_trash_chunk(trash);
+	}
 	/* error: call the release function and don't come back */
 	return 1;
 }