Fix free() of unallocated memory on intact/non-verbose SSL-connections.

Problem was improper scoping of xfree(tt). Patch courtesy of Thomas Heinz.
Fixes Gentoo bug #280760.

svn path=/branches/BRANCH_6-3/; revision=5415

2 files changed, 12 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 8b3c074a..abf07101 100644
--- a/NEWS
+++ b/NEWS
@@ -51,6 +51,15 @@ removed from a 6.4.0 or newer release.)
 
 fetchmail 6.3.12 (released XXXX-XX-XX - not yet):
 
+# REGRESSION FIXES
+* The CVS-2009-2666 fix in fetchmail release 6.3.11 caused a free() of
+  unallocated memory on SSL connections, which caused crashes or program aborts
+  on some systems (depending on how initialization and free() of unallocated
+  memory is handled in compiler and libc).
+  Patch courtesy of Thomas Heinz, fixes Gentoo Bug #280760.
+  This regression affected only the 6.3.11 release, but not the patch that was
+  part of the security announcement fetchmail-SA-2009-01.
+
 # TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
 * [ca]    Catalan (Ernest Adrogué Calveras)
 * [cs]    Czech (Petr Pisar)
diff --git a/socket.c b/socket.c
index 21924260..c245b3d4 100644
--- a/socket.c
+++ b/socket.c
@@ -628,9 +628,10 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 				report(stdout, GT_("Unknown Issuer CommonName\n"));
 		}
 		if ((i = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, sizeof(buf))) != -1) {
-			if (outlevel >= O_VERBOSE)
+			if (outlevel >= O_VERBOSE) {
 				report(stdout, GT_("Server CommonName: %s\n"), (tt = sdump(buf, i)));
-			xfree(tt);
+				xfree(tt);
+			}
 			if ((size_t)i >= sizeof(buf) - 1) {
 				/* Possible truncation. In this case, this is a DNS name, so this
 				 * is really bad. We do not tolerate this even in the non-strict case. */