Skip to content

Commit 6148e2b

Browse files
tglsfdctglsfdc
committed
Fix assorted error-cleanup bugs in SSL min/max protocol version code.
The error exits added to initialize_SSL() failed to clean up the partially-built SSL_context, and some of them also leaked the result of SSLerrmessage(). Make them match other error-handling cases in that function. The error exits added to connectOptions2() failed to set conn->status like every other error exit in that function. In passing, make the SSL_get_peer_certificate() error exit look more like all the other calls of SSLerrmessage(). Oversights in commit ff8ca5f. Coverity whined about leakage of the SSLerrmessage() results; I noted the rest in manual code review.
1 parent 1fd687a commit 6148e2b

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

src/interfaces/libpq/fe-connect.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1306,13 +1306,15 @@ connectOptions2(PGconn *conn)
13061306
*/
13071307
if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
13081308
{
1309+
conn->status = CONNECTION_BAD;
13091310
printfPQExpBuffer(&conn->errorMessage,
13101311
libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
13111312
conn->sslminprotocolversion);
13121313
return false;
13131314
}
13141315
if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
13151316
{
1317+
conn->status = CONNECTION_BAD;
13161318
printfPQExpBuffer(&conn->errorMessage,
13171319
libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
13181320
conn->sslmaxprotocolversion);
@@ -1329,6 +1331,7 @@ connectOptions2(PGconn *conn)
13291331
if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
13301332
conn->sslmaxprotocolversion))
13311333
{
1334+
conn->status = CONNECTION_BAD;
13321335
printfPQExpBuffer(&conn->errorMessage,
13331336
libpq_gettext("invalid SSL protocol version range"));
13341337
return false;

src/interfaces/libpq/fe-secure-openssl.c

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn)
854854
printfPQExpBuffer(&conn->errorMessage,
855855
libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
856856
conn->sslminprotocolversion);
857+
SSL_CTX_free(SSL_context);
857858
return -1;
858859
}
859860

@@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn)
864865
printfPQExpBuffer(&conn->errorMessage,
865866
libpq_gettext("could not set minimum version of SSL protocol: %s\n"),
866867
err);
868+
SSLerrfree(err);
869+
SSL_CTX_free(SSL_context);
867870
return -1;
868871
}
869872
}
@@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn)
880883
printfPQExpBuffer(&conn->errorMessage,
881884
libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
882885
conn->sslmaxprotocolversion);
886+
SSL_CTX_free(SSL_context);
883887
return -1;
884888
}
885889

@@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn)
890894
printfPQExpBuffer(&conn->errorMessage,
891895
libpq_gettext("could not set maximum version of SSL protocol: %s\n"),
892896
err);
897+
SSLerrfree(err);
898+
SSL_CTX_free(SSL_context);
893899
return -1;
894900
}
895901
}
@@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn)
13211327
conn->peer = SSL_get_peer_certificate(conn->ssl);
13221328
if (conn->peer == NULL)
13231329
{
1324-
char *err;
1325-
1326-
err = SSLerrmessage(ERR_get_error());
1330+
char *err = SSLerrmessage(ERR_get_error());
13271331

13281332
printfPQExpBuffer(&conn->errorMessage,
13291333
libpq_gettext("certificate could not be obtained: %s\n"),

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy