Fix certificate leak during connection when tls-allowlists are used

2022-07-14 04:36:51 +00:00 · 2022-07-14 04:36:51 +00:00 · e3f186e698
commit e3f186e698
parent 93ea66ece5
2 changed files with 18 additions and 1 deletions
--- a/src/cluster.cpp
+++ b/src/cluster.cpp
@ -1525,7 +1525,9 @@ void clusterProcessGossipSection(clusterMsg *hdr, clusterLink *link) {
                 * it's greater than our view but is not in the future
                 * (with 500 milliseconds tolerance) from the POV of our
                 * clock. */
-                if (pongtime <= (g_pserver->mstime+500) &&
+                mstime_t mstime;
+                __atomic_load(&g_pserver->mstime, &mstime, __ATOMIC_RELAXED);
+                if (pongtime <= (mstime+500) &&
                    pongtime > node->pong_received)
                {
                    node->pong_received = pongtime;
--- a/src/tls.cpp
+++ b/src/tls.cpp
@ -503,11 +503,26 @@ bool tlsCheckAgainstAllowlist(const char * client){
 #define ASN1_STRING_get0_data ASN1_STRING_data 
 #endif 

+class TCleanup {
+    std::function<void()> fn;
+
+public:
+    TCleanup(std::function<void()> fn)
+        : fn(fn)
+    {}
+
+    ~TCleanup() {
+        fn();
+    }
+};
+
 bool tlsValidateCertificateName(tls_connection* conn){
    if (g_pserver->tls_allowlist.empty())
        return true;    // Empty list implies acceptance of all

    X509 * cert = SSL_get_peer_certificate(conn->ssl);
+    TCleanup certClen([cert]{X509_free(cert);});
+    
    /* Check the common name (CN) of the certificate first */
    X509_NAME_ENTRY * ne = X509_NAME_get_entry(X509_get_subject_name(cert), X509_NAME_get_index_by_NID(X509_get_subject_name(cert), NID_commonName, -1));
    const char * commonName = reinterpret_cast<const char*>(ASN1_STRING_get0_data(X509_NAME_ENTRY_get_data(ne)));