Fix memory leak in libpq when using sslmode=verify-full

Checking if Subject Alternative Names (SANs) from a certificate match
with the hostname connected to leaked memory after each lookup done.

This is broken since acd08d7 that added support for SANs in SSL
certificates, so backpatch down to 9.5.

Author: Roman Peshkurov
Reviewed-by: Hamid Akhtar, Michael Paquier, David Steele
Discussion: https://postgr.es/m/CALLDf-pZ-E3mjxd5=bnHsDu9zHEOnpgPgdnO84E2RuwMCjjyPw@mail.gmail.com
Backpatch-through: 9.5

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 766d4a0b2ce9372dacce43768c2039d3781c66dd..66d50a959b64c7f43bae73e761edd7ea7aacb2d7 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -550,7 +550,7 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
            if (rc != 0)
                break;
        }
-       sk_GENERAL_NAME_free(peer_san);
+       sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
    }
 
    /*