From 5a9f4e543d8cf2db993cc3e6ee5c18d2e575d6b8 Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 24 Nov 2011 00:20:46 -0700
Subject: [PATCH] Avoid crashes when processing bad X509 common names (CN).

X509_REQ_get_pubkey() returns a refcounted object that we must clean after use.
X509_REQ_get_subject_name() does not; cleaning the result may cause segfaults.
How we are supposed to tell the difference is beyond me.
---
 src/ssl/gadgets.cc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 057d3c766c..d97d965a85 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -11,16 +11,18 @@
  */
 static bool addCnToRequest(Ssl::X509_REQ_Pointer & request, char const * cn)
 {
-    Ssl::X509_NAME_Pointer name(X509_REQ_get_subject_name(request.get()));
+    // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
+    // returns a pointer to the existing subject name. Nothing to clean here.
+    X509_NAME *name = X509_REQ_get_subject_name(request.get());
     if (!name)
         return false;
 
     // The second argument of the X509_NAME_add_entry_by_txt declared as
     // "char *" on some OS. Use cn_name to avoid compile warnings.
     static char cn_name[3] = "CN";
-    if (!X509_NAME_add_entry_by_txt(name.get(), cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
+    if (!X509_NAME_add_entry_by_txt(name, cn_name, MBSTRING_ASC, (unsigned char *)cn, -1, -1, 0))
         return false;
-    name.release();
+
     return true;
 }
 
-- 
2.47.2