On Thu, Sep 11, 2014 at 11:05:02PM -0500, Kent R. Spillner wrote:
> While reviewing tedu@'s libressl config cleanup diffs I noticed we're
> not explicitly freeing ressl_config in ftp(1).
...
> Index: fetch.c
> ===================================================================
...
> if (ssl != NULL) {
> ressl_close(ssl);
> + ressl_config_free(ressl_config);
Hmm this doesn't look right to me. ressl_config is not allocated the
same way as the other variables. The other variables such as ssl,
sslhost, etc are local to that function and allocated there.
ressl_config is a global and only allocated in main.c. It is allocated
once and configured using getopt/getsubopt().
If you free it, you would need to reallocate it each time or set it to
NULL so libressl will revert back and discard the user's changes.
I think either way is wrong. The SSL configuration should be retained
even if a single url_get() fails (which isn't fatal).
The above code is from url_get() which is called in a loop inside
auto_fetch(). I think the above change would use the getsubopt()
configuration for the first HTTPS URL argument and then try to use freed
memory for the others.
