BUG/MINOR: ssl: Missing return value check in ssl_ocsp_response_print

When calling ssl_ocsp_response_print which is used to display an OCSP
response's details when calling the "show ssl ocsp-response" on the CLI,
we use the BIO_read function that copies an OpenSSL BIO into a trash.
The return value was not checked though, which could lead to some
crashes since BIO_read can return a negative value in case of error.

This patch should be backported to 2.5.

(cherry picked from commit 1b01b7f2eff33ca9bd1da9fa628fd07a48c5a7cc)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f4efee9..0f38f47 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7388,6 +7388,8 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
                static struct ist double_lf = IST("\n\n");
 
                write = BIO_read(bio, trash->area, trash->size - 1);
+               if (write <= 0)
+                       goto end;
                trash->data = write;
 
                /* Look for empty lines in the 'trash' buffer and add a space to