BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command
When calling the "show ssl ocsp-response" CLI command some OpenSSL
objects need to be created in order to get some information related to
the OCSP response and some of them were not freed.
It should be backported to 2.5.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d0acc80..4d2fcc3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7511,9 +7511,12 @@
/* Decode the certificate ID (serialized into the key). */
d2i_OCSP_CERTID(&certid, &p, ocsp->key_length);
+ if (!certid)
+ goto end;
/* Dump the CERTID info */
ocsp_certid_print(bio, certid, 1);
+ OCSP_CERTID_free(certid);
write = BIO_read(bio, tmp->area, tmp->size-1);
/* strip trailing LFs */
while (write > 0 && tmp->area[write-1] == '\n')
@@ -7580,7 +7583,7 @@
resp = d2i_OCSP_RESPONSE(NULL, &p, ocsp_response->data);
if (!resp) {
chunk_appendf(out, "Unable to parse OCSP response");
- return -1;
+ goto end;
}
if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
@@ -7623,9 +7626,12 @@
retval = (b_istput(out, ist_block) <= 0);
}
+end:
if (bio)
BIO_free(bio);
+ OCSP_RESPONSE_free(resp);
+
return retval;
}