commit a9a591ab3dcf316e30506ec79eb9c255d2b2106c
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Wed Feb 16 14:42:22 2022 +0100
committer William Lallemand <wlallemand@haproxy.org> Fri Feb 18 09:57:51 2022 +0100
tree a68612b9dec4ffd7b0d74e2047d2f310f1bf4b51
parent 4f4f2b7b5f5802289df1eb81cc6a6b02894b0104

BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print

The b_istput function called to append the last data block to the end of
an OCSP response's detailed output was not checked in
ssl_ocsp_response_print. The ssl_ocsp_response_print return value checks
were added as well since some of them were missing.
This error was raised by Coverity (CID 1469513).

This patch fixes GitHub issue #1541.
It can be backported to 2.5.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 758b029..d0acc80 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7567,6 +7567,7 @@
 	int write = -1;
 	OCSP_RESPONSE *resp;
 	const unsigned char *p;
+	int retval = -1;
 
 	if (!ocsp_response)
 		return -1;
@@ -7619,13 +7620,13 @@
 			ist_double_lf = istist(ist_block, double_lf);
 		}
 
-		b_istput(out, ist_block);
+		retval = (b_istput(out, ist_block) <= 0);
 	}
 
 	if (bio)
 		BIO_free(bio);
 
-	return 0;
+	return retval;
 }
 
 /*
@@ -7656,7 +7657,10 @@
 	if (trash == NULL)
 		return 1;
 
-	ssl_ocsp_response_print(&ocsp->response, trash);
+	if (ssl_ocsp_response_print(&ocsp->response, trash)) {
+		free_trash_chunk(trash);
+		return 1;
+	}
 
 	if (ci_putchk(si_ic(si), trash) == -1) {
 		si_rx_room_blk(si);