From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 1 Jun 2023 09:57:21 +0000 (+0200)
Subject: Fix use-after-free with EVP_CIPHER_free
X-Git-Tag: v2.7_alpha1~457
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13f5e615310ea64ab69f521e622a10f2d0ad3f4e;p=thirdparty%2Fopenvpn.git

Fix use-after-free with EVP_CIPHER_free

In many scenarios the context will still have a reference to the cipher, so
this use-after-free does not explode but it is still wrong.

Change-Id: I59002d6613eaef36d5a47b20b56073e399cfa1df
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20230601095721.4065834-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26735.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index c2ac80b74..f5372f85a 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -839,9 +839,9 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
         crypto_msg(M_FATAL, "EVP cipher init #2");
     }
 
-    EVP_CIPHER_free(kt);
     /* make sure we used a big enough key */
     ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= EVP_CIPHER_key_length(kt));
+    EVP_CIPHER_free(kt);
 }
 
 int