From 79cc06b1801cad4700aa5eabf1e6ed6f5c9786bf Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Mon, 8 Aug 2016 21:49:32 +0100 Subject: [PATCH] [237] Fix memory leak when verifying a server certificate. Only for certificates with a subjectAltName. Closes #237. Thanks to MrSaturday. Bug: https://github.com/eclipse/mosquitto/issues/237 --- ChangeLog.txt | 2 ++ lib/tls_mosq.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog.txt b/ChangeLog.txt index 6a2466cb..696c25e4 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -15,6 +15,8 @@ Broker: Client library: - Support OpenSSL 1.1.0. - Fixed the C++ library not allowing SOCKS support to be used. Closes #198. +- Fix memory leak when verifying a server certificate with a subjectAltName + section. Closes #237. Build: - Don't attempt to install docs when WITH_DOCS=no. Closes #184. diff --git a/lib/tls_mosq.c b/lib/tls_mosq.c index 7fd78a59..20f0d3ae 100644 --- a/lib/tls_mosq.c +++ b/lib/tls_mosq.c @@ -129,6 +129,7 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname) if(nval->type == GEN_DNS){ data = ASN1_STRING_data(nval->d.dNSName); if(data && !mosquitto__cmp_hostname_wildcard((char *)data, hostname)){ + sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); return 1; } have_san_dns = true; @@ -136,20 +137,24 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname) data = ASN1_STRING_data(nval->d.iPAddress); if(nval->d.iPAddress->length == 4 && ipv4_ok){ if(!memcmp(ipv4_addr, data, 4)){ + sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); return 1; } }else if(nval->d.iPAddress->length == 16 && ipv6_ok){ if(!memcmp(ipv6_addr, data, 16)){ + sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); return 1; } } } } + sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); if(have_san_dns){ /* Only check CN if subjectAltName DNS entry does not exist. */ return 0; } } + subj = X509_get_subject_name(cert); if(X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0){ name[sizeof(name) - 1] = '\0';