diff options
| author | Haidong Ji <haidongj@amazon.com> | 2022-09-13 00:41:43 +0000 |
|---|---|---|
| committer | Daniel Black <daniel@mariadb.org> | 2022-10-22 11:04:08 +1100 |
| commit | 45755c4e1bfbde5fe0d437dc56086ccd9dbdb37a (patch) | |
| tree | 04292d441ecd592d6b1fe189bdad0cea1e29a7df | |
| parent | e46217182fab8f451799624402c2466474115926 (diff) | |
| download | mariadb-git-45755c4e1bfbde5fe0d437dc56086ccd9dbdb37a.tar.gz | |
Use OPENSSL_free instead of free to avoid instance crash
OpenSSL handles memory management using **OPENSSL_xxx** API[^1]. For
allocation, there is `OPENSSL_malloc`. To free it, `OPENSSL_free` should
be called.
We've been lucky that OPENSSL (and wolfSSL)'s implementation allowed the
usage of `free` for memory cleanup. However, other OpenSSL forks, such
as AWS-LC[^2], is not this forgiving. It will cause a server crash.
Test case `openssl_1` provides good coverage for this issue. If a user
is created using:
`grant select on test.* to user1@localhost require SUBJECT "...";`
user1 will crash the instance during connection under AWS-LC.
There have been numerous OpenSSL forks[^3]. Due to FIPS[^4] and other
related regulatory requirements, MariaDB will be built using them. This
fix will increase MariaDB's adaptability by using more compliant and
generally accepted API.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
[^1]: https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_malloc.html
[^2]: https://github.com/awslabs/aws-lc
[^3]: https://en.wikipedia.org/wiki/OpenSSL#Forks
[^4]: https://en.wikipedia.org/wiki/FIPS_140-2
| -rw-r--r-- | sql/sql_acl.cc | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 5b5150acab1..7057c32f2f0 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -13257,11 +13257,11 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) if (global_system_variables.log_warnings) sql_print_information("X509 issuer mismatch: should be '%s' " "but is '%s'", acl_user->x509_issuer, ptr); - free(ptr); + OPENSSL_free(ptr); X509_free(cert); return 1; } - free(ptr); + OPENSSL_free(ptr); } /* X509 subject is specified, we check it .. */ if (acl_user->x509_subject) @@ -13274,11 +13274,11 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user) if (global_system_variables.log_warnings) sql_print_information("X509 subject mismatch: should be '%s' but is '%s'", acl_user->x509_subject, ptr); - free(ptr); + OPENSSL_free(ptr); X509_free(cert); return 1; } - free(ptr); + OPENSSL_free(ptr); } X509_free(cert); return 0; |