database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-25 01:02:05 +03:00
Code Activity

Fix assorted error-cleanup bugs in SSL min/max protocol version code.

Browse Source 
The error exits added to initialize_SSL() failed to clean up the
partially-built SSL_context, and some of them also leaked the
result of SSLerrmessage().  Make them match other error-handling
cases in that function.

The error exits added to connectOptions2() failed to set conn->status
like every other error exit in that function.

In passing, make the SSL_get_peer_certificate() error exit look more
like all the other calls of SSLerrmessage().

Oversights in commit ff8ca5fad.  Coverity whined about leakage of the
SSLerrmessage() results; I noted the rest in manual code review.
This commit is contained in:
Tom Lane
2020-02-02 13:09:33 -05:00
parent 1fd687a035
commit 6148e2b9a6
2 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/interfaces/libpq/fe-secure-openssl.c
View File

@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
conn->sslminprotocolversion);
SSL_CTX_free(SSL_context);
return -1;
}
@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set minimum version of SSL protocol: %s\n"),
err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
}
}
@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
conn->sslmaxprotocolversion);
SSL_CTX_free(SSL_context);
return -1;
}
@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set maximum version of SSL protocol: %s\n"),
err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
}
}
@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn)
conn->peer = SSL_get_peer_certificate(conn->ssl);
if (conn->peer == NULL)
{
char *err;
err = SSLerrmessage(ERR_get_error());
char *err = SSLerrmessage(ERR_get_error());
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("certificate could not be obtained: %s\n"),