From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 24 Nov 2011 07:20:46 +0000 (-0700)
Subject: Avoid crashes when processing bad X509 common names (CN).
X-Git-Tag: SQUID_3_1_17~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a9f4e543d8cf2db993cc3e6ee5c18d2e575d6b8;p=thirdparty%2Fsquid.git

Avoid crashes when processing bad X509 common names (CN).

X509_REQ_get_pubkey() returns a refcounted object that we must clean after use.
X509_REQ_get_subject_name() does not; cleaning the result may cause segfaults.
How we are supposed to tell the difference is beyond me.
---

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 057d3c766c..d97d965a85 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -11,16 +11,18 @@
  */
 static bool addCnToRequest(Ssl::X509_REQ_Pointer & request, char const * cn)
 {
-    Ssl::X509_NAME_Pointer name(X509_REQ_get_subject_name(request.get()));
+    // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
+    // returns a pointer to the existing subject name. Nothing to clean here.
+    X509_NAME *name = X509_REQ_get_subject_name(request.get());
     if (!name)
         return false;
 
     // The second argument of the X509_NAME_add_entry_by_txt declared as
     // "char *" on some OS. Use cn_name to avoid compile warnings.
     static char cn_name[3] = "CN";
-    if (!X509_NAME_add_entry_by_txt(name.get(), cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
+    if (!X509_NAME_add_entry_by_txt(name, cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
         return false;
-    name.release();
+
     return true;
 }