[openssl] OpenSSL_1_1_1-stable update
tomas at openssl.org
tomas at openssl.org
Mon Aug 16 10:57:20 UTC 2021
The branch OpenSSL_1_1_1-stable has been updated
via 75a4f263ba9d3ec1e9d55ca5024aee62aec70475 (commit)
from 33e8f03e98acdf3c505b2ee82dd7e595d11e3b6f (commit)
- Log -----------------------------------------------------------------
commit 75a4f263ba9d3ec1e9d55ca5024aee62aec70475
Author: Todd Short <tshort at akamai.com>
Date: Fri Aug 13 09:59:59 2021 -0400
Fix potential double-free
The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16309)
(cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem_srvr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 30d20f1297..d701c46b43 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
sk_X509_pop_free(s->session->peer_chain, X509_free);
s->session->peer_chain = sk;
+ sk = NULL;
/*
* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
@@ -3767,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
* Inconsistency alert: cert_chain does *not* include the peer's own
* certificate, while we do include it in statem_clnt.c
*/
- sk = NULL;
/* Save the current hash state for when we receive the CertificateVerify */
if (SSL_IS_TLS13(s)) {
More information about the openssl-commits
mailing list