From e3f186e6983d822822d939829809d7f8612b33a1 Mon Sep 17 00:00:00 2001 From: John Sully Date: Thu, 14 Jul 2022 04:36:51 +0000 Subject: [PATCH] Fix certificate leak during connection when tls-allowlists are used --- src/cluster.cpp | 4 +++- src/tls.cpp | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/cluster.cpp b/src/cluster.cpp index 398384f16..99af97594 100644 --- a/src/cluster.cpp +++ b/src/cluster.cpp @@ -1525,7 +1525,9 @@ void clusterProcessGossipSection(clusterMsg *hdr, clusterLink *link) { * it's greater than our view but is not in the future * (with 500 milliseconds tolerance) from the POV of our * clock. */ - if (pongtime <= (g_pserver->mstime+500) && + mstime_t mstime; + __atomic_load(&g_pserver->mstime, &mstime, __ATOMIC_RELAXED); + if (pongtime <= (mstime+500) && pongtime > node->pong_received) { node->pong_received = pongtime; diff --git a/src/tls.cpp b/src/tls.cpp index 68651bfbb..1527a5f91 100644 --- a/src/tls.cpp +++ b/src/tls.cpp @@ -503,11 +503,26 @@ bool tlsCheckAgainstAllowlist(const char * client){ #define ASN1_STRING_get0_data ASN1_STRING_data #endif +class TCleanup { + std::function fn; + +public: + TCleanup(std::function fn) + : fn(fn) + {} + + ~TCleanup() { + fn(); + } +}; + bool tlsValidateCertificateName(tls_connection* conn){ if (g_pserver->tls_allowlist.empty()) return true; // Empty list implies acceptance of all X509 * cert = SSL_get_peer_certificate(conn->ssl); + TCleanup certClen([cert]{X509_free(cert);}); + /* Check the common name (CN) of the certificate first */ X509_NAME_ENTRY * ne = X509_NAME_get_entry(X509_get_subject_name(cert), X509_NAME_get_index_by_NID(X509_get_subject_name(cert), NID_commonName, -1)); const char * commonName = reinterpret_cast(ASN1_STRING_get0_data(X509_NAME_ENTRY_get_data(ne)));