Make getErrorsFromOpenSSL thread-safe

If we pass nullptr as a buffer parameter, ERR_error_string uses a local array with static storage duration, which makes ERR_error_string non thread-safe. Instead we can use ERR_error_string_n with our own buffer. As for the size: docs are inconsistent, sometimes they say 'at least 120 bytes long', sometimes 'at least 256 ...'. Their code (ERR_error_string implenented via call to ERR_error_string_n) has buf[256] and so we do. I know this will enrage our Mr. Bot, but I've removed a stray whitespace. Change-Id: I4b8cc7b6b9af1a34fc87a760927a493332cdd0a5 Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
2018-02-19 13:21:46 +01:00 · 2018-02-19 13:21:46 +01:00 · 04f3534815
commit 04f3534815
parent 2776d663aa
1 changed files with 4 additions and 3 deletions
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@ -99,12 +99,13 @@ int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1;
 QString QSslSocketBackendPrivate::getErrorsFromOpenSsl()
 {
    QString errorString;
+    char buf[256] = {}; // OpenSSL docs claim both 120 and 256; use the larger.
    unsigned long errNum;
    while ((errNum = q_ERR_get_error())) {
-        if (! errorString.isEmpty())
+        if (!errorString.isEmpty())
            errorString.append(QLatin1String(", "));
-        const char *error = q_ERR_error_string(errNum, NULL);
-        errorString.append(QString::fromLatin1(error)); // error is ascii according to man ERR_error_string
+        q_ERR_error_string_n(errNum, buf, sizeof buf);
+        errorString.append(QString::fromLatin1(buf)); // error is ascii according to man ERR_error_string
    }
    return errorString;
 }