Fix SSL_get_peer_certificate memory leak

The SSL_get_peer_certificate openSSL function increases the lock for X509
object it returns so X509 object retrieved using this function must be
released with X509_free after use.
This patch uses the Ssl::X509_Pointer TidyPointer to release X509 object
retrieved with the SSL_get_peer_certificate function inside the
Ssl::PeerConnector::handleNegotiateError method

This is a Measurement Factory project

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 9557b5118aeb0c977532fb84b73cb4ea37184e23..bc0f81d2c7fa74f8b5c9e12a59cc979b7e1d5f46 100644 (file)
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -601,8 +601,9 @@ Ssl::PeerConnector::handleNegotiateError(const int ret)
         // Abort if no certificate found probably because of malformed or
         // unsupported server Hello message (TODO: make configurable).
 #if 1
+        Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl));
         if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) &&
-                SSL_get_peer_certificate(ssl) &&
+                serverCert.get() &&
                 (srvBio->bumpMode() == Ssl::bumpPeek  || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
             debugs(81, 3, "Error ("  << ERR_error_string(ssl_lib_error, NULL) <<  ") but, hold write on SSL connection on FD " << fd);
             checkForPeekAndSplice();