Fix memory leak in libpq when using sslmode=verify-full

michaelpq · michaelpq · commit e1c08722ae02 · 2020-04-22T07:27:45.000+09:00
Checking if Subject Alternative Names (SANs) from a certificate match with the hostname connected to leaked memory after each lookup done. This is broken since acd08d7 that added support for SANs in SSL certificates, so backpatch down to 9.5. Author: Roman Peshkurov Reviewed-by: Hamid Akhtar, Michael Paquier, David Steele Discussion: https://postgr.es/m/CALLDf-pZ-E3mjxd5=bnHsDu9zHEOnpgPgdnO84E2RuwMCjjyPw@mail.gmail.com Backpatch-through: 9.5
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
@@ -550,7 +550,7 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
 			if (rc != 0)
 				break;
 		}
-		sk_GENERAL_NAME_free(peer_san);
+		sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
 	}
 
 	/*

Original file line number	Diff line number	Diff line change
`@@ -550,7 +550,7 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,`
`550`	`550`	`if (rc != 0)`
`551`	`551`	`break;`
`552`	`552`	`}`
`553`		`- sk_GENERAL_NAME_free(peer_san);`
	`553`	`+ sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);`
`554`	`554`	`}`
`555`	`555`
`556`	`556`	`/*`