From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 19 May 2021 09:52:50 +0000 (+0200)
Subject: MINOR: ssl: check allocation in ssl_sock_init_srv
X-Git-Tag: v2.5-dev1~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=949c94e4623ab2852a888237e4d464d3ed9f74f7;p=thirdparty%2Fhaproxy.git

MINOR: ssl: check allocation in ssl_sock_init_srv

These checks are especially required now as this function will be used
at runtime for dynamic servers.
---

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 6f7a988bb4..3739f3cda6 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1369,13 +1369,16 @@ static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, stru
 }
 
 /* common function to init ssl_ctx */
-static void ssl_sock_init_srv(struct server *s)
+static int ssl_sock_init_srv(struct server *s)
 {
 	if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers)
 		s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
-	if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites)
+	if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites) {
 		s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
+		if (!s->ssl_ctx.ciphersuites)
+			return 1;
+	}
 #endif
 	s->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
 	s->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
@@ -1385,13 +1388,19 @@ static void ssl_sock_init_srv(struct server *s)
 
 	if (!s->ssl_ctx.methods.max)
 		s->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max;
+
+	return 0;
 }
 
 /* parse the "check-ssl" server keyword */
 static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
 	newsrv->check.use_ssl = 1;
-	ssl_sock_init_srv(newsrv);
+	if (ssl_sock_init_srv(newsrv)) {
+		memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
 	return 0;
 }
 
@@ -1502,8 +1511,12 @@ static int srv_parse_no_send_proxy_cn(char **args, int *cur_arg, struct proxy *p
 static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
 	/* if default-server have use_ssl, prepare ssl settings */
-	if (newsrv->use_ssl == 1)
-		ssl_sock_init_srv(newsrv);
+	if (newsrv->use_ssl == 1) {
+		if (ssl_sock_init_srv(newsrv)) {
+			memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
+			return ERR_ALERT | ERR_FATAL;
+		}
+	}
 	else {
 		ha_free(&newsrv->ssl_ctx.ciphers);
 	}
@@ -1574,7 +1587,11 @@ static int srv_parse_sni(char **args, int *cur_arg, struct proxy *px, struct ser
 static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
 	newsrv->use_ssl = 1;
-	ssl_sock_init_srv(newsrv);
+	if (ssl_sock_init_srv(newsrv)) {
+		memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
 	return 0;
 }