------------------------------------------------------------
revno: 13805
revision-id: squid3@treenet.co.nz-20150423115557-5rydmh3d5h4ilibi
parent: squid3@treenet.co.nz-20150423114447-98kfnmhwrq1eg3rt
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Thu 2015-04-23 04:55:57 -0700
message:
  Fix SSL_get_peer_certificate memory leak
  
  The SSL_get_peer_certificate openSSL function increases the lock for X509
  object it returns so X509 object retrieved using this function must be
  released with X509_free after use.
  This patch uses the Ssl::X509_Pointer TidyPointer to release X509 object
  retrieved with the SSL_get_peer_certificate function inside the
  Ssl::PeerConnector::handleNegotiateError method
  
  This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150423115557-5rydmh3d5h4ilibi
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 3c5a787eb3ade85125a343961b289f5e6e22e672
# timestamp: 2015-04-23 11:57:24 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20150423114447-\
#   98kfnmhwrq1eg3rt
# 
# Begin patch
=== modified file 'src/ssl/PeerConnector.cc'
--- src/ssl/PeerConnector.cc	2015-04-15 11:35:52 +0000
+++ src/ssl/PeerConnector.cc	2015-04-23 11:55:57 +0000
@@ -607,11 +607,13 @@
         // unsupported server Hello message (TODO: make configurable).
 #if 1
         if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) &&
-                SSL_get_peer_certificate(ssl) &&
                 (srvBio->bumpMode() == Ssl::bumpPeek  || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
-            debugs(81, 3, "Error ("  << ERR_error_string(ssl_lib_error, NULL) <<  ") but, hold write on SSL connection on FD " << fd);
-            checkForPeekAndSplice();
-            return;
+            Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl));
+            if (serverCert.get()) {
+                debugs(81, 3, "Error ("  << ERR_error_string(ssl_lib_error, NULL) <<  ") but, hold write on SSL connection on FD " << fd);
+                checkForPeekAndSplice();
+                return;
+            }
         }
 #endif