Fix memory leak in libpq when using sslmode=verify-full

Checking if Subject Alternative Names (SANs) from a certificate match
with the hostname connected to leaked memory after each lookup done.

This is broken since acd08d7 that added support for SANs in SSL
certificates, so backpatch down to 9.5.

Author: Roman Peshkurov
Reviewed-by: Hamid Akhtar, Michael Paquier, David Steele
Discussion: https://postgr.es/m/CALLDf-pZ-E3mjxd5=bnHsDu9zHEOnpgPgdnO84E2RuwMCjjyPw@mail.gmail.com
Backpatch-through: 9.5

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index e8b917909f680bffe8f8206f18c7a616db44fc0e..9be6b0d89c6d2b15c82885727afa15b0a85041fb 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -627,7 +627,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
            if (found_match || got_error)
                break;
        }
-       sk_GENERAL_NAME_free(peer_san);
+       sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
    }
 
    /*