Avoid potential pfree on NULL on OpenSSL errors

danielgustafsson · danielgustafsson · commit 5f3aa309a880 · 2023-09-22T11:18:25.000+02:00
Guard against the pointer being NULL before pfreeing upon an error returned from OpenSSL. Also handle errors from X509_NAME_print_ex which can return -1 on memory allocation errors. Backpatch down to v15 where the code was added. Author: Sergey Shinderuk <s.shinderuk@postgrespro.ru> Discussion: https://postgr.es/m/8db5374d-32e0-6abb-d402-40762511eff2@postgrespro.ru Backpatch-through: v15
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
@@ -620,8 +620,11 @@ be_tls_open_server(Port *port)
 		bio = BIO_new(BIO_s_mem());
 		if (!bio)
 		{
-			pfree(port->peer_cn);
-			port->peer_cn = NULL;
+			if (port->peer_cn != NULL)
+			{
+				pfree(port->peer_cn);
+				port->peer_cn = NULL;
+			}
 			return -1;
 		}
 
@@ -632,12 +635,15 @@ be_tls_open_server(Port *port)
 		 * which make regular expression matching a bit easier. Also note that
 		 * it prints the Subject fields in reverse order.
 		 */
-		X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253);
-		if (BIO_get_mem_ptr(bio, &bio_buf) <= 0)
+		if (X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253) == -1 ||
+			BIO_get_mem_ptr(bio, &bio_buf) <= 0)
 		{
 			BIO_free(bio);
-			pfree(port->peer_cn);
-			port->peer_cn = NULL;
+			if (port->peer_cn != NULL)
+			{
+				pfree(port->peer_cn);
+				port->peer_cn = NULL;
+			}
 			return -1;
 		}
 		peer_dn = MemoryContextAlloc(TopMemoryContext, bio_buf->length + 1);
@@ -651,8 +657,11 @@ be_tls_open_server(Port *port)
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
 					 errmsg("SSL certificate's distinguished name contains embedded null")));
 			pfree(peer_dn);
-			pfree(port->peer_cn);
-			port->peer_cn = NULL;
+			if (port->peer_cn != NULL)
+			{
+				pfree(port->peer_cn);
+				port->peer_cn = NULL;
+			}
 			return -1;
 		}
 
