Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free()

The problem is that the server failed to follow the rule that every X509 object retrieved using SSL_get_peer_certificate() must be explicitly freed by X509_free(). This caused a memory leak for builds linked against OpenSSL where the X509 object is reference counted -- improper counting will prevent the object from being destroyed once the session containing the peer certificate is freed. The solution is to explicitly free every X509 object used.
2025-07-30 16:24:05 +03:00 · 2009-05-25 10:00:18 -03:00
parent 8fb82e3fe0
commit 981ff94d80
3 changed files with 27 additions and 3 deletions
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -936,6 +936,7 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
 #ifdef HAVE_OPENSSL
    Vio *vio=thd->net.vio;
    SSL *ssl= (SSL*) vio->ssl_arg;
+    X509 *cert;
 #endif

    /*
@ -964,8 +965,11 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
      */
      if (vio_type(vio) == VIO_TYPE_SSL &&
 	  SSL_get_verify_result(ssl) == X509_V_OK &&
-	  SSL_get_peer_certificate(ssl))
+	  (cert= SSL_get_peer_certificate(ssl)))
+      {
 	user_access= acl_user->access;
+        X509_free(cert);
+      }
      break;
    case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
      /*
@ -974,7 +978,6 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
 	If cipher name is specified, we compare it to actual cipher in
 	use.
      */
-      X509 *cert;
      if (vio_type(vio) != VIO_TYPE_SSL ||
 	  SSL_get_verify_result(ssl) != X509_V_OK)
 	break;
@ -1014,6 +1017,7 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
            sql_print_information("X509 issuer mismatch: should be '%s' "
 			      "but is '%s'", acl_user->x509_issuer, ptr);
          free(ptr);
+          X509_free(cert);
          user_access=NO_ACCESS;
          break;
        }
@ -1033,12 +1037,15 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
            sql_print_information("X509 subject mismatch: should be '%s' but is '%s'",
                            acl_user->x509_subject, ptr);
          free(ptr);
+          X509_free(cert);
          user_access=NO_ACCESS;
          break;
        }
        user_access= acl_user->access;
        free(ptr);
      }
+      /* Deallocate the X509 certificate. */
+      X509_free(cert);
      break;
 #else  /* HAVE_OPENSSL */
    default: