From 132fe2f259465d59df013afdda4eb5247976e3f4 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Wed, 16 Feb 2022 15:03:51 +0100 Subject: [PATCH] BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command When calling the "show ssl ocsp-response" CLI command some OpenSSL objects need to be created in order to get some information related to the OCSP response and some of them were not freed. It should be backported to 2.5. (cherry picked from commit 8081b6769902899346f4c717007841190118d349) Signed-off-by: William Lallemand --- src/ssl_sock.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0fb5761..f4efee9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -7306,9 +7306,12 @@ static int cli_io_handler_show_ocspresponse(struct appctx *appctx) /* Decode the certificate ID (serialized into the key). */ d2i_OCSP_CERTID(&certid, &p, ocsp->key_length); + if (!certid) + goto end; /* Dump the CERTID info */ ocsp_certid_print(bio, certid, 1); + OCSP_CERTID_free(certid); write = BIO_read(bio, tmp->area, tmp->size-1); /* strip trailing LFs */ while (write > 0 && tmp->area[write-1] == '\n') @@ -7375,7 +7378,7 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out) resp = d2i_OCSP_RESPONSE(NULL, &p, ocsp_response->data); if (!resp) { chunk_appendf(out, "Unable to parse OCSP response"); - return -1; + goto end; } if (OCSP_RESPONSE_print(bio, resp, 0) != 0) { @@ -7418,9 +7421,12 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out) retval = (b_istput(out, ist_block) <= 0); } +end: if (bio) BIO_free(bio); + OCSP_RESPONSE_free(resp); + return retval; } -- 1.7.10.4