ruby-changes:74043
From: Kazuki <ko1@a...>
Date: Mon, 17 Oct 2022 16:43:31 +0900 (JST)
Subject: [ruby-changes:74043] bee383d9fe (master): [ruby/openssl] x509*: fix error queue leak in #extensions= and #attributes= methods
https://git.ruby-lang.org/ruby.git/commit/?id=bee383d9fe From bee383d9fe84eb29ec12a8c392fcbf7c646575b8 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Fri, 2 Sep 2022 13:55:19 +0900 Subject: [ruby/openssl] x509*: fix error queue leak in #extensions= and #attributes= methods X509at_delete_attr() in OpenSSL master puts an error queue entry if there is no attribute left to delete. We must either clear the error queue, or try not to call it when the list is already empty. https://github.com/ruby/openssl/commit/a0c878481f --- ext/openssl/ossl_x509cert.c | 6 +++--- ext/openssl/ossl_x509crl.c | 6 +++--- ext/openssl/ossl_x509req.c | 6 +++--- ext/openssl/ossl_x509revoked.c | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index 996f184170..9443541645 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -642,12 +642,12 @@ ossl_x509_set_extensions(VALUE self, VALUE ary) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509cert.c#L642 OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509(self, x509); - while ((ext = X509_delete_ext(x509, 0))) - X509_EXTENSION_free(ext); + for (i = X509_get_ext_count(x509); i > 0; i--) + X509_EXTENSION_free(X509_delete_ext(x509, 0)); for (i=0; i<RARRAY_LEN(ary); i++) { ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */ - ossl_raise(eX509CertError, NULL); + ossl_raise(eX509CertError, "X509_add_ext"); } } diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index 863f0286c0..6c1d915370 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -474,12 +474,12 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509crl.c#L474 OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509CRL(self, crl); - while ((ext = X509_CRL_delete_ext(crl, 0))) - X509_EXTENSION_free(ext); + for (i = X509_CRL_get_ext_count(crl); i > 0; i--) + X509_EXTENSION_free(X509_CRL_delete_ext(crl, 0)); for (i=0; i<RARRAY_LEN(ary); i++) { ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */ if (!X509_CRL_add_ext(crl, ext, -1)) { - ossl_raise(eX509CRLError, NULL); + ossl_raise(eX509CRLError, "X509_CRL_add_ext"); } } diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c index 6eb91e9c2f..77a7d3f2ff 100644 --- a/ext/openssl/ossl_x509req.c +++ b/ext/openssl/ossl_x509req.c @@ -380,13 +380,13 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509req.c#L380 OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr); } GetX509Req(self, req); - while ((attr = X509_REQ_delete_attr(req, 0))) - X509_ATTRIBUTE_free(attr); + for (i = X509_REQ_get_attr_count(req); i > 0; i--) + X509_ATTRIBUTE_free(X509_REQ_delete_attr(req, 0)); for (i=0;i<RARRAY_LEN(ary); i++) { item = RARRAY_AREF(ary, i); attr = GetX509AttrPtr(item); if (!X509_REQ_add1_attr(req, attr)) { - ossl_raise(eX509ReqError, NULL); + ossl_raise(eX509ReqError, "X509_REQ_add1_attr"); } } return ary; diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c index 5fe6853430..10b8aa4ad6 100644 --- a/ext/openssl/ossl_x509revoked.c +++ b/ext/openssl/ossl_x509revoked.c @@ -223,13 +223,13 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509revoked.c#L223 OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509Rev(self, rev); - while ((ext = X509_REVOKED_delete_ext(rev, 0))) - X509_EXTENSION_free(ext); + for (i = X509_REVOKED_get_ext_count(rev); i > 0; i--) + X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0)); for (i=0; i<RARRAY_LEN(ary); i++) { item = RARRAY_AREF(ary, i); ext = GetX509ExtPtr(item); if(!X509_REVOKED_add_ext(rev, ext, -1)) { - ossl_raise(eX509RevError, NULL); + ossl_raise(eX509RevError, "X509_REVOKED_add_ext"); } } -- cgit v1.2.3 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/