From 8a9810bbc287650dd0905a9bd854744144d21680 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Wed, 26 Sep 2012 21:55:42 +0100
Subject: [PATCH] Fix leaks on failure paths in OpenSSL
 openconnect_open_https()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 openssl.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/openssl.c b/openssl.c
index 851a7111..c1632657 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1298,6 +1298,9 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			if (err) {
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Loading certificate failed. Aborting.\n"));
+				SSL_CTX_free(vpninfo->https_ctx);
+				vpninfo->https_ctx = NULL;
+				close(ssl_sock);
 				return err;
 			}
 			check_certificate_expiry(vpninfo);
@@ -1325,6 +1328,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			BIO *b = BIO_from_keystore(vpninfo, vpninfo->cafile);
 
 			if (!b) {
+				SSL_CTX_free(vpninfo->https_ctx);
+				vpninfo->https_ctx = NULL;
 				close(ssl_sock);
 				return -EINVAL;
 			}
@@ -1337,6 +1342,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 					     _("Failed to read certs from CA file '%s'\n"),
 					     vpninfo->cafile);
 				openconnect_report_ssl_errors(vpninfo);
+				SSL_CTX_free(vpninfo->https_ctx);
+				vpninfo->https_ctx = NULL;
 				close(ssl_sock);
 				return -ENOENT;
 			}
@@ -1359,6 +1366,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 					     _("Failed to open CA file '%s'\n"),
 					     vpninfo->cafile);
 				openconnect_report_ssl_errors(vpninfo);
+				SSL_CTX_free(vpninfo->https_ctx);
+				vpninfo->https_ctx = NULL;
 				close(ssl_sock);
 				return -EINVAL;
 			}
@@ -1378,7 +1387,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 	while ((err = SSL_connect(https_ssl)) <= 0) {
 		fd_set wr_set, rd_set;
 		int maxfd = ssl_sock;
-		
+
 		FD_ZERO(&wr_set);
 		FD_ZERO(&rd_set);
 
-- 
2.49.0