ossl_cms_get1_crls_ex(): Avoid doublefree if CRL up ref fails

author Tomas Mraz <tomas@openssl.org>

Thu, 5 Dec 2024 08:29:08 +0000 (09:29 +0100)

committer Tomas Mraz <tomas@openssl.org>

Tue, 10 Dec 2024 09:52:54 +0000 (10:52 +0100)
author Tomas Mraz <tomas@openssl.org>
Thu, 5 Dec 2024 08:29:08 +0000 (09:29 +0100)
committer Tomas Mraz <tomas@openssl.org>
Tue, 10 Dec 2024 09:52:54 +0000 (10:52 +0100)
diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c

index ede016dff0c75902f3a4a77e7b6fcd791c5f4ac9..a115a3b9008320a7f078bbe483b03d84fede121b 100644 (file)
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -15,6 +15,7 @@
  #include <openssl/asn1.h>
  #include <openssl/cms.h>
  #include "internal/sizes.h"
+#include "internal/cryptlib.h"
  #include "crypto/x509.h"
  #include "cms_local.h"
  
@@ -696,8 +697,9 @@ int ossl_cms_get1_crls_ex(CMS_ContentInfo *cms, STACK_OF(X509_CRL) **crls)
      for (i = 0; i < n; i++) {
          rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i);
          if (rch->type == 0) {
-            if (!sk_X509_CRL_push(*crls, rch->d.crl)
-                    || !X509_CRL_up_ref(rch->d.crl)) {
+            if (!X509_CRL_up_ref(rch->d.crl)
+                || !ossl_assert(sk_X509_CRL_push(*crls, rch->d.crl))) {
+                /* push cannot fail on reserved stack */
                  sk_X509_CRL_pop_free(*crls, X509_CRL_free);
                  *crls = NULL;
                  return 0;
author	Tomas Mraz <tomas@openssl.org>
	Thu, 5 Dec 2024 08:29:08 +0000 (09:29 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Tue, 10 Dec 2024 09:52:54 +0000 (10:52 +0100)