From a2d519ce9ff2f72bc22a1c159dbba3d87d3b6b5d Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Tue, 9 Sep 2025 12:01:51 +0200
Subject: [PATCH 1/2] ssl-bump: fix X509 ref leak on SSL_set_ex_data() failure

---
 src/ssl/PeekingPeerConnector.cc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
index fa7d29c9fd7..8b7929feea7 100644
--- a/src/ssl/PeekingPeerConnector.cc
+++ b/src/ssl/PeekingPeerConnector.cc
@@ -209,8 +209,14 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
             serverBump->attachServerSession(serverSession);
             // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
             if (X509 *peeked_cert = serverBump->serverCert.get()) {
-                X509_up_ref(peeked_cert);
-                SSL_set_ex_data(serverSession.get(), ssl_ex_index_ssl_peeked_cert, peeked_cert);
+                if (!X509_up_ref(peeked_cert)) {
+                    debugs(83, DBG_IMPORTANT, "WARNING: X509_up_ref(peeked_cert) failed");
+                } else if (!SSL_set_ex_data(serverSession.get(),
+                                            ssl_ex_index_ssl_peeked_cert,
+                                            peeked_cert)) {
+                    debugs(83, DBG_IMPORTANT, "WARNING: SSL_set_ex_data(ssl_ex_index_ssl_peeked_cert) failed; dropping extra X509 ref");
+                    X509_free(peeked_cert);
+                }
             }
         }
     }

From 591841b4f98de482c16497b390d91ae7729b0007 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Wed, 10 Sep 2025 17:51:05 +0200
Subject: [PATCH 2/2] Update src/ssl/PeekingPeerConnector.cc

Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
---
 src/ssl/PeekingPeerConnector.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
index 8b7929feea7..c1f16176053 100644
--- a/src/ssl/PeekingPeerConnector.cc
+++ b/src/ssl/PeekingPeerConnector.cc
@@ -210,7 +210,7 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
             // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
             if (X509 *peeked_cert = serverBump->serverCert.get()) {
                 if (!X509_up_ref(peeked_cert)) {
-                    debugs(83, DBG_IMPORTANT, "WARNING: X509_up_ref(peeked_cert) failed");
+                    debugs(83, DBG_IMPORTANT, "WARNING: X509_up_ref(peeked_cert) failed on server certificate");
                 } else if (!SSL_set_ex_data(serverSession.get(),
                                             ssl_ex_index_ssl_peeked_cert,
                                             peeked_cert)) {