From: Emmanuel Hocdet <manu@gandi.net>
Date: Fri, 25 Oct 2019 09:55:03 +0000 (+0200)
Subject: BUG/MINOR: ssl: double free on error for ckch->{key,cert}
X-Git-Tag: v2.1-dev4~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83cbd3c89fdea95d78f1d7fcf36a088599f3adfd;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: double free on error for ckch->{key,cert}

On last error in ssl_sock_load_pem_into_ckch, key/cert are released
and ckch->{key,cert} are released in ssl_sock_free_cert_key_and_chain_contents.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c6878e4608..770216d4a0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3097,7 +3097,7 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
 {
 	BIO *in = NULL;
 	int ret = 1;
-	X509 *ca = NULL;
+	X509 *ca;
 	X509 *cert = NULL;
 	EVP_PKEY *key = NULL;
 	DH *dh;
@@ -3172,10 +3172,12 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
 	if (ckch->key) /* free the previous key */
 		EVP_PKEY_free(ckch->key);
 	ckch->key = key;
+	key = NULL;
 
 	if (ckch->cert) /* free the previous cert */
 		X509_free(ckch->cert);
 	ckch->cert = cert;
+	cert = NULL;
 
 	/* Look for a Certificate Chain */
 	ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
@@ -3215,12 +3217,10 @@ end:
 	ERR_clear_error();
 	if (in)
 		BIO_free(in);
-	if (ret != 0) {
-		if (key)
-			EVP_PKEY_free(key);
-		if (cert)
-			X509_free(cert);
-	}
+	if (key)
+		EVP_PKEY_free(key);
+	if (cert)
+		X509_free(cert);
 
 	return ret;
 }