database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Use OPENSSL_free instead of free to avoid instance crash

Browse Source 
OpenSSL handles memory management using **OPENSSL_xxx** API[^1]. For
allocation, there is `OPENSSL_malloc`. To free it, `OPENSSL_free` should
be called.

We've been lucky that OPENSSL (and wolfSSL)'s implementation allowed the
usage of `free` for memory cleanup. However, other OpenSSL forks, such
as AWS-LC[^2], is not this forgiving. It will cause a server crash.

Test case `openssl_1` provides good coverage for this issue. If a user
is created using:
`grant select on test.* to user1@localhost require SUBJECT "...";`
user1 will crash the instance during connection under AWS-LC.

There have been numerous OpenSSL forks[^3]. Due to FIPS[^4] and other
related regulatory requirements, MariaDB will be built using them. This
fix will increase MariaDB's adaptability by using more compliant and
generally accepted API.

All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.

[^1]: https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_malloc.html
[^2]: https://github.com/awslabs/aws-lc
[^3]: https://en.wikipedia.org/wiki/OpenSSL#Forks
[^4]: https://en.wikipedia.org/wiki/FIPS_140-2
This commit is contained in:
Haidong Ji
2022-09-13 00:41:43 +00:00
committed by Daniel Black
parent e46217182f
commit 45755c4e1b
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
sql/sql_acl.cc
View File

@ -13257,11 +13257,11 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
if (global_system_variables.log_warnings)
sql_print_information("X509 issuer mismatch: should be '%s' "
"but is '%s'", acl_user->x509_issuer, ptr);
free(ptr);
OPENSSL_free(ptr);
X509_free(cert);
return 1;
}
free(ptr);
OPENSSL_free(ptr);
}
/* X509 subject is specified, we check it .. */
if (acl_user->x509_subject)
@ -13274,11 +13274,11 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
if (global_system_variables.log_warnings)
sql_print_information("X509 subject mismatch: should be '%s' but is '%s'",
acl_user->x509_subject, ptr);
free(ptr);
OPENSSL_free(ptr);
X509_free(cert);
return 1;
}
free(ptr);
OPENSSL_free(ptr);
}
X509_free(cert);
return 0;