> On 19 Sep 2023, at 10:06, Sergey Shinderuk <s.shinderuk@postgrespro.ru> wrote:
>
> On 19.09.2023 03:54, Michael Paquier wrote:
>> One doubt that I have is if we shouldn't let X509_NAME_print_ex() be
>> as it is now, and not force a failure on the bio if this calls fails.
>
> If malloc fails inside X509_NAME_print_ex, then we will be left with empty port->peer_dn.
Looking at the OpenSSL code, there a other (albeit esoteric) errors that return
-1 as well. I agree that we should handle this error.
X509_NAME_print_ex is not documented to return -1 in OpenSSL 1.0.2 but reading
the code it's clear that it does, so checking for -1 is safe for all supported
OpenSSL versions (supported by us that is).
Attached is a v2 on top of HEAD with commit message etc, which I propose to
backpatch to v15 where it was introduced.
--
Daniel Gustafsson