GitList

Browse code

ssl_openssl.c: Prevent potential double-free

Fixes a potential double-free issue in tls_ctx_load_cert_uri()
by explicitly nullifying the pointer immediately after calling
OSSL_STORE_INFO_free(info).

This ensures that subsequent cleanup won't attempt to free the same
structure again.

Github: closes OpenVPN/openvpn#726

Change-Id: I4507be07cd5573b2117e837ef03187535a38a4b1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250417134636.21279-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31478.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Lev Stipakov authored on 2025/04/17 22:46:30
Showing 1 changed files

src/openvpn/ssl_openssl.c

History View file @ f7aedca

@@ -1152,6 +1152,7 @@ tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri)
         goto end;
     }
     OSSL_STORE_INFO_free(info);
+    info = NULL;
 
     /* iterate through the store and add extra certificates if any to the chain */
     while (!OSSL_STORE_eof(store_ctx))
@@ -1170,6 +1171,7 @@ tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri)
             break;
         }
         OSSL_STORE_INFO_free(info);
+        info = NULL;
     }
 
 end:

...	...	@@ -1152,6 +1152,7 @@ tls_ctx_load_cert_uri(struct tls_root_ctx tls_ctx, const char uri)
1152	1152	goto end;
1153	1153	}
1154	1154	OSSL_STORE_INFO_free(info);
	1155	+ info = NULL;
1155	1156
1156	1157	/* iterate through the store and add extra certificates if any to the chain */
1157	1158	while (!OSSL_STORE_eof(store_ctx))
...	...	@@ -1170,6 +1171,7 @@ tls_ctx_load_cert_uri(struct tls_root_ctx tls_ctx, const char uri)
1170	1170	break;
1171	1171	}
1172	1172	OSSL_STORE_INFO_free(info);
	1173	+ info = NULL;
1173	1174	}
1174	1175
1175	1176	end: