From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 2 Jan 2023 14:01:16 +0000 (+0100)
Subject: BUG/MINOR: ssl: Missing goto in error path in ocsp update code
X-Git-Tag: v2.8-dev1~26
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=c389b04bc57bb39da0269e4b5a4d639c8251b99f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Missing goto in error path in ocsp update code

When converting an OCSP request's information into base64, the return
value of a2base64 is checked but processing is not interrupted when it
returns a negative value, which was caught by coverity.

This patch fixes GitHub issue #1974.
It does not need to be backported.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 220776de42..4a8a33bece 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -640,8 +640,6 @@ int ssl_ocsp_create_request_details(const OCSP_CERTID *certid, struct buffer *re
 		goto end;
 	}
 
-	errcode = 0;
-
 	/* HTTP based OCSP requests can use either the GET or the POST method to
 	 * submit their requests. To enable HTTP caching, small requests (that
 	 * after encoding are less than 255 bytes), MAY be submitted using GET.
@@ -660,6 +658,7 @@ int ssl_ocsp_create_request_details(const OCSP_CERTID *certid, struct buffer *re
 
 		if (base64_ret < 0) {
 			memprintf(err, "%sa2base64() error\n", *err ? *err : "");
+			goto end;
 		}
 
 		b64buf->data = base64_ret;
@@ -668,12 +667,15 @@ int ssl_ocsp_create_request_details(const OCSP_CERTID *certid, struct buffer *re
 		                   query_encode_map, b64buf);
 		if (ret && *ret == '\0') {
 			req_url->data = ret - b_orig(req_url);
+			errcode = 0;
 		}
 	}
 	else {
 		chunk_cpy(req_body, bin_request);
+		errcode = 0;
 	}
 
+
 end:
 	OCSP_REQUEST_free(ocsp);