BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print

The b_istput function called to append the last data block to the end of
an OCSP response's detailed output was not checked in
ssl_ocsp_response_print. The ssl_ocsp_response_print return value checks
were added as well since some of them were missing.
This error was raised by Coverity (CID 1469513).

This patch fixes GitHub issue #1541.
It can be backported to 2.5.

(cherry picked from commit a9a591ab3dcf316e30506ec79eb9c255d2b2106c)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 192ad6c..8433710 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1618,7 +1618,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
         * Otherwise, we must rebuild the certificate's certid in order to
         * look for the current OCSP response in the tree. */
        if (from_transaction && ckchs->ckch->ocsp_response) {
-               ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out);
+               if (ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out))
+                       goto end_no_putchk;
        }
        else {
                unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
@@ -1627,7 +1628,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
                if (ckch_store_build_certid(ckchs, (unsigned char*)key, &key_length) < 0)
                        goto end_no_putchk;
 
-               ssl_get_ocspresponse_detail(key, out);
+               if (ssl_get_ocspresponse_detail(key, out))
+                       goto end_no_putchk;
        }
 
        if (ci_putchk(si_ic(si), out) == -1) {

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index be9104c..0fb5761 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7362,6 +7362,7 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
        int write = -1;
        OCSP_RESPONSE *resp;
        const unsigned char *p;
+       int retval = -1;
 
        if (!ocsp_response)
                return -1;
@@ -7414,13 +7415,13 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
                        ist_double_lf = istist(ist_block, double_lf);
                }
 
-               b_istput(out, ist_block);
+               retval = (b_istput(out, ist_block) <= 0);
        }
 
        if (bio)
                BIO_free(bio);
 
-       return 0;
+       return retval;
 }
 
 /*
@@ -7451,7 +7452,10 @@ static int cli_io_handler_show_ocspresponse_detail(struct appctx *appctx)
        if (trash == NULL)
                return 1;
 
-       ssl_ocsp_response_print(&ocsp->response, trash);
+       if (ssl_ocsp_response_print(&ocsp->response, trash)) {
+               free_trash_chunk(trash);
+               return 1;
+       }
 
        if (ci_putchk(si_ic(si), trash) == -1) {
                si_rx_room_blk(si);