[Spice-commits] 2 commits - common/ssl_verify.c

[Christophe Fergau]

 common/ssl_verify.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

New commits:
commit 47122befcde4e40a8be0267af2bd77811b838c84
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Fri Oct 23 11:43:22 2015 +0200

    ssl-verify: Don't leak GInetAddress
    
    GInetAddress is a GObject, so we must unref anything we create with
    g_inet_address_new_*

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 817cf7b..601252e 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -190,9 +190,7 @@ static int verify_hostname(X509* cert, const char *hostname)
                     return 1;
                 }
             } else if (name->type == GEN_IPADD) {
-                GInetAddress * alt_ip = NULL;
                 GInetAddress * ip = NULL;
-                gchar * alt_ip_string = NULL;
                 const guint8 * ip_binary = NULL;
                 int alt_ip_len = 0;
                 int ip_len = 0;
@@ -211,15 +209,23 @@ static int verify_hostname(X509* cert, const char *hostname)
 
                 if ((ip_len == alt_ip_len) &&
                    (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, ip_len)) == 0) {
+                    GInetAddress * alt_ip = NULL;
+                    gchar * alt_ip_string = NULL;
+
                     alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
                                                            g_inet_address_get_family(ip));
                     alt_ip_string = g_inet_address_to_string(alt_ip);
                     spice_debug("alt name IP match=%s", alt_ip_string);
 
                     g_free(alt_ip_string);
+                    g_object_unref(alt_ip);
+                    g_object_unref(ip);
                     GENERAL_NAMES_free(subject_alt_names);
                     return 1;
                 }
+                if (ip != NULL) {
+                    g_object_unref(ip);
+                }
             }
         }
         GENERAL_NAMES_free(subject_alt_names);
commit 9057e0aef335387458c5374c0e1b7a6c14bf5cef
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Fri Oct 23 11:34:11 2015 +0200

    ssl-verify: Handle NULL return from g_inet_address_new_from_string()
    
    It will return NULL if the string we pass it cannot be parsed.

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 867c54f..817cf7b 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -200,8 +200,12 @@ static int verify_hostname(X509* cert, const char *hostname)
                 found_dns_name = 1;
 
                 ip = g_inet_address_new_from_string(hostname);
-                ip_len = g_inet_address_get_native_size(ip);
-                ip_binary = g_inet_address_to_bytes(ip);
+                if (ip != NULL) {
+                    ip_len = g_inet_address_get_native_size(ip);
+                    ip_binary = g_inet_address_to_bytes(ip);
+                } else {
+                    spice_warning("Could not parse hostname: %s", hostname);
+                }
 
                 alt_ip_len = ASN1_STRING_length(name->d.iPAddress);