From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 11 Aug 2020 09:18:46 +0000 (+0200)
Subject: BUG/MINOR: ssl: double free w/ smp_fetch_ssl_x_chain_der()
X-Git-Tag: v2.3-dev3~6
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=e3a5f84e53b407bf06e38922bc5f24379d759086;p=haproxy-2.5.git

BUG/MINOR: ssl: double free w/ smp_fetch_ssl_x_chain_der()

smp_fetch_ssl_x_chain_der() uses the SSL_get_peer_cert_chain() which
does not increment the refcount of the chain, so it should not be free'd.

The bug was introduced by a598b50 ("MINOR: ssl: add ssl_{c,s}_chain_der
fetch methods"). No backport needed.
---

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index a21ae33..0f59365 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -198,8 +198,6 @@ smp_fetch_ssl_x_chain_der(const struct arg *args, struct sample *smp, const char
 out:
 	if (tmp_trash)
 		free_trash_chunk(tmp_trash);
-	if (certs)
-		sk_X509_pop_free(certs, X509_free);
 	return ret;
 }