From e5ff4addb2300db60f5a4d1f99abd54b4a1a94f6 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 8 Jun 2020 09:40:37 +0200 Subject: [PATCH] BUG/MINOR: ssl: fix a trash buffer leak in some error cases Fix a trash buffer leak when we can't take the lock of the ckch, or when "set ssl cert" is wrongly used. The bug was mentionned in this thread: https://www.mail-archive.com/haproxy@formilux.org/msg37539.html The bug was introduced by commit bc6ca7c ("MINOR: ssl/cli: rework 'set ssl cert' as 'set/commit'"). Must be backported in 2.1. --- src/ssl_ckch.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index c59364930..0f3f743ea 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1552,9 +1552,6 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) return 1; - if ((buf = alloc_trash_chunk()) == NULL) - return cli_err(appctx, "Can't allocate memory\n"); - if (!*args[3] || !payload) return cli_err(appctx, "'set ssl cert expects a filename and a certificate as a payload\n"); @@ -1563,6 +1560,9 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) return cli_err(appctx, "Can't update the certificate!\nOperations on certificates are currently locked!\n"); + if ((buf = alloc_trash_chunk()) == NULL) + return cli_err(appctx, "Can't allocate memory\n"); + if (!chunk_strcpy(buf, args[3])) { memprintf(&err, "%sCan't allocate memory\n", err ? err : ""); errcode |= ERR_ALERT | ERR_FATAL;