From: William Lallemand Date: Mon, 8 Jun 2020 07:40:37 +0000 (+0200) Subject: BUG/MINOR: ssl: fix a trash buffer leak in some error cases X-Git-Tag: v2.2-dev9~149 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5ff4ad;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: fix a trash buffer leak in some error cases Fix a trash buffer leak when we can't take the lock of the ckch, or when "set ssl cert" is wrongly used. The bug was mentionned in this thread: https://www.mail-archive.com/haproxy@formilux.org/msg37539.html The bug was introduced by commit bc6ca7c ("MINOR: ssl/cli: rework 'set ssl cert' as 'set/commit'"). Must be backported in 2.1. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index c59364930c..0f3f743ea7 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1552,9 +1552,6 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) return 1; - if ((buf = alloc_trash_chunk()) == NULL) - return cli_err(appctx, "Can't allocate memory\n"); - if (!*args[3] || !payload) return cli_err(appctx, "'set ssl cert expects a filename and a certificate as a payload\n"); @@ -1563,6 +1560,9 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) return cli_err(appctx, "Can't update the certificate!\nOperations on certificates are currently locked!\n"); + if ((buf = alloc_trash_chunk()) == NULL) + return cli_err(appctx, "Can't allocate memory\n"); + if (!chunk_strcpy(buf, args[3])) { memprintf(&err, "%sCan't allocate memory\n", err ? err : ""); errcode |= ERR_ALERT | ERR_FATAL;