blob: d01dc57c693b1a1efbcbeb1af68b846ad1b1ff5a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
commit 0ebb1d424da107ad4010b261f63e16e857465fc0
Author: William Lallemand <wlallemand@haproxy.org>
Date: Thu Jan 23 11:42:52 2020 +0100
BUG/MINOR: ssl: increment issuer refcount if in chain
When using the OCSP response, if the issuer of the response is in
the certificate chain, its address will be stored in ckch->ocsp_issuer.
However, since the ocsp_issuer could be filled by a separate file, this
pointer is free'd. The refcount of the X509 need to be incremented to
avoid a double free if we free the ocsp_issuer AND the chain.
(cherry picked from commit b829dda57b4c8a44eff53682ed56492ad46ce3ad)
[wt: checked with William, needed for 2.1]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e320d908f..180637e6b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3307,6 +3307,7 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c
issuer = sk_X509_value(ckch->chain, i);
if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) {
ckch->ocsp_issuer = issuer;
+ X509_up_ref(ckch->ocsp_issuer);
break;
} else
issuer = NULL;
|