NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit6148e2b

committed

Fix assorted error-cleanup bugs in SSL min/max protocol version code.

The error exits added to initialize_SSL() failed to clean up thepartially-built SSL_context, and some of them also leaked theresult of SSLerrmessage(). Make them match other error-handlingcases in that function.The error exits added to connectOptions2() failed to set conn->statuslike every other error exit in that function.In passing, make the SSL_get_peer_certificate() error exit look morelike all the other calls of SSLerrmessage().Oversights in commitff8ca5f. Coverity whined about leakage of theSSLerrmessage() results; I noted the rest in manual code review.

1 parent1fd687a commit6148e2bCopy full SHA for 6148e2b

File tree

2 files changed

+10

-3

lines changed

src/interfaces/libpq
- fe-connect.c
- fe-secure-openssl.c

2 files changed

+10

-3

lines changed

`‎src/interfaces/libpq/fe-connect.c`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1306,13 +1306,15 @@ connectOptions2(PGconn *conn)`
`1306`	`1306`	`*/`
`1307`	`1307`	`if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))`
`1308`	`1308`	`{`
	`1309`	`+conn->status=CONNECTION_BAD;`
`1309`	`1310`	`printfPQExpBuffer(&conn->errorMessage,`
`1310`	`1311`	`libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),`
`1311`	`1312`	`conn->sslminprotocolversion);`
`1312`	`1313`	`return false;`
`1313`	`1314`	`}`
`1314`	`1315`	`if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))`
`1315`	`1316`	`{`
	`1317`	`+conn->status=CONNECTION_BAD;`
`1316`	`1318`	`printfPQExpBuffer(&conn->errorMessage,`
`1317`	`1319`	`libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),`
`1318`	`1320`	`conn->sslmaxprotocolversion);`
`@@ -1329,6 +1331,7 @@ connectOptions2(PGconn *conn)`
`1329`	`1331`	`if (!sslVerifyProtocolRange(conn->sslminprotocolversion,`
`1330`	`1332`	`conn->sslmaxprotocolversion))`
`1331`	`1333`	`{`
	`1334`	`+conn->status=CONNECTION_BAD;`
`1332`	`1335`	`printfPQExpBuffer(&conn->errorMessage,`
`1333`	`1336`	`libpq_gettext("invalid SSL protocol version range"));`
`1334`	`1337`	`return false;`

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 7 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn)`
`854`	`854`	`printfPQExpBuffer(&conn->errorMessage,`
`855`	`855`	`libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),`
`856`	`856`	`conn->sslminprotocolversion);`
	`857`	`+SSL_CTX_free(SSL_context);`
`857`	`858`	`return-1;`
`858`	`859`	`}`
`859`	`860`
`@@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn)`
`864`	`865`	`printfPQExpBuffer(&conn->errorMessage,`
`865`	`866`	`libpq_gettext("could not set minimum version of SSL protocol: %s\n"),`
`866`	`867`	`err);`
	`868`	`+SSLerrfree(err);`
	`869`	`+SSL_CTX_free(SSL_context);`
`867`	`870`	`return-1;`
`868`	`871`	`}`
`869`	`872`	`}`
`@@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn)`
`880`	`883`	`printfPQExpBuffer(&conn->errorMessage,`
`881`	`884`	`libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),`
`882`	`885`	`conn->sslmaxprotocolversion);`
	`886`	`+SSL_CTX_free(SSL_context);`
`883`	`887`	`return-1;`
`884`	`888`	`}`
`885`	`889`
`@@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn)`
`890`	`894`	`printfPQExpBuffer(&conn->errorMessage,`
`891`	`895`	`libpq_gettext("could not set maximum version of SSL protocol: %s\n"),`
`892`	`896`	`err);`
	`897`	`+SSLerrfree(err);`
	`898`	`+SSL_CTX_free(SSL_context);`
`893`	`899`	`return-1;`
`894`	`900`	`}`
`895`	`901`	`}`
`@@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn)`
`1321`	`1327`	`conn->peer=SSL_get_peer_certificate(conn->ssl);`
`1322`	`1328`	`if (conn->peer==NULL)`
`1323`	`1329`	`{`
`1324`		`-char*err;`
`1325`		`-`
`1326`		`-err=SSLerrmessage(ERR_get_error());`
	`1330`	`+char*err=SSLerrmessage(ERR_get_error());`
`1327`	`1331`
`1328`	`1332`	`printfPQExpBuffer(&conn->errorMessage,`
`1329`	`1333`	`libpq_gettext("certificate could not be obtained: %s\n"),`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6148e2b

File tree

2 files changed

2 files changed

`‎src/interfaces/libpq/fe-connect.c`

`‎src/interfaces/libpq/fe-secure-openssl.c`

0 commit comments