From: Emmanuel Hocdet <manu@gandi.net>
Date: Mon, 23 Mar 2020 09:31:47 +0000 (+0100)
Subject: BUG/MINOR: ssl: memory leak when find_chain is NULL
X-Git-Tag: v2.2-dev6~88
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4f14eacd37e9de47bf9ecfbbd04a68baf6617ee;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: memory leak when find_chain is NULL

This bug was introduced by 85888573 "BUG/MEDIUM: ssl: chain must be
initialized with sk_X509_new_null()". No need to set find_chain with
sk_X509_new_null(), use find_chain conditionally to fix issue #516.

This bug was referenced by issue #559.

[wla: fix some alignment/indentation issue]
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9b44e9d0b9..45a650a3d3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3634,33 +3634,30 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 			find_chain = issuer->chain;
 	}
 
-	/* If we didn't find a chain we *MUST* use an empty X509 structure */
-	if (find_chain == NULL)
-		find_chain = sk_X509_new_null();
-
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+	if (find_chain)
 #ifdef SSL_CTX_set1_chain
-        if (!SSL_CTX_set1_chain(ctx, find_chain)) {
-		memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
-			  err && *err ? *err : "", path);
-		errcode |= ERR_ALERT | ERR_FATAL;
-		goto end;
-	}
+		if (!SSL_CTX_set1_chain(ctx, find_chain)) {
+			memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
+			          err && *err ? *err : "", path);
+			errcode |= ERR_ALERT | ERR_FATAL;
+			goto end;
+		}
 #else
-	{ /* legacy compat (< openssl 1.0.2) */
-		X509 *ca;
-		STACK_OF(X509) *chain;
-		chain = X509_chain_up_ref(find_chain);
-		while ((ca = sk_X509_shift(chain)))
-			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
-				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
-					  err && *err ? *err : "", path);
-				X509_free(ca);
-				sk_X509_pop_free(chain, X509_free);
-				errcode |= ERR_ALERT | ERR_FATAL;
-				goto end;
-			}
-	}
+		{ /* legacy compat (< openssl 1.0.2) */
+			X509 *ca;
+			STACK_OF(X509) *chain;
+			chain = X509_chain_up_ref(find_chain);
+			while ((ca = sk_X509_shift(chain)))
+				if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
+					memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+					          err && *err ? *err : "", path);
+					X509_free(ca);
+					sk_X509_pop_free(chain, X509_free);
+					errcode |= ERR_ALERT | ERR_FATAL;
+					goto end;
+				}
+		}
 #endif
 
 #ifndef OPENSSL_NO_DH