commit e5ff4addb2300db60f5a4d1f99abd54b4a1a94f6
author William Lallemand <wlallemand@haproxy.com> Mon Jun 08 09:40:37 2020 +0200
committer William Lallemand <wlallemand@haproxy.org> Mon Jun 08 09:51:14 2020 +0200
tree fb49d957261c8a879bf4df153aa2552a42bebcba
parent 0041741ef7253fcad2fc98f0b2a9968fb4af3574

BUG/MINOR: ssl: fix a trash buffer leak in some error cases

Fix a trash buffer leak when we can't take the lock of the ckch, or when
"set ssl cert" is wrongly used.

The bug was mentionned in this thread:
https://www.mail-archive.com/haproxy@formilux.org/msg37539.html

The bug was introduced by commit bc6ca7c ("MINOR: ssl/cli: rework 'set
ssl cert' as 'set/commit'").

Must be backported in 2.1.

src/ssl_ckch.c

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index c593649..0f3f743 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1552,9 +1552,6 @@
 	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
 		return 1;
 
-	if ((buf = alloc_trash_chunk()) == NULL)
-		return cli_err(appctx, "Can't allocate memory\n");
-
 	if (!*args[3] || !payload)
 		return cli_err(appctx, "'set ssl cert expects a filename and a certificate as a payload\n");
 
@@ -1563,6 +1560,9 @@
 	if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
 		return cli_err(appctx, "Can't update the certificate!\nOperations on certificates are currently locked!\n");
 
+	if ((buf = alloc_trash_chunk()) == NULL)
+		return cli_err(appctx, "Can't allocate memory\n");
+
 	if (!chunk_strcpy(buf, args[3])) {
 		memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
 		errcode |= ERR_ALERT | ERR_FATAL;