commit 949c94e4623ab2852a888237e4d464d3ed9f74f7
author Amaury Denoyelle <adenoyelle@haproxy.com> Wed May 19 11:52:50 2021 +0200
committer Amaury Denoyelle <adenoyelle@haproxy.com> Fri Jun 18 16:42:25 2021 +0200
tree 60b07ae47cf5df2b795d2e1cb3a8bd1128caaba9
parent c593bcdb434b6af6a20225e5aec74bc11558e32e

MINOR: ssl: check allocation in ssl_sock_init_srv

These checks are especially required now as this function will be used
at runtime for dynamic servers.

src/cfgparse-ssl.c

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 6f7a988..3739f3c 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1369,13 +1369,16 @@
 }
 
 /* common function to init ssl_ctx */
-static void ssl_sock_init_srv(struct server *s)
+static int ssl_sock_init_srv(struct server *s)
 {
 	if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers)
 		s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
-	if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites)
+	if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites) {
 		s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
+		if (!s->ssl_ctx.ciphersuites)
+			return 1;
+	}
 #endif
 	s->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
 	s->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
@@ -1385,13 +1388,19 @@
 
 	if (!s->ssl_ctx.methods.max)
 		s->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max;
+
+	return 0;
 }
 
 /* parse the "check-ssl" server keyword */
 static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
 	newsrv->check.use_ssl = 1;
-	ssl_sock_init_srv(newsrv);
+	if (ssl_sock_init_srv(newsrv)) {
+		memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
 	return 0;
 }
 
@@ -1502,8 +1511,12 @@
 static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
 	/* if default-server have use_ssl, prepare ssl settings */
-	if (newsrv->use_ssl == 1)
-		ssl_sock_init_srv(newsrv);
+	if (newsrv->use_ssl == 1) {
+		if (ssl_sock_init_srv(newsrv)) {
+			memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
+			return ERR_ALERT | ERR_FATAL;
+		}
+	}
 	else {
 		ha_free(&newsrv->ssl_ctx.ciphers);
 	}
@@ -1574,7 +1587,11 @@
 static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
 	newsrv->use_ssl = 1;
-	ssl_sock_init_srv(newsrv);
+	if (ssl_sock_init_srv(newsrv)) {
+		memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
 	return 0;
 }