From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 5 Dec 2024 08:29:08 +0000 (+0100)
Subject: ossl_cms_get1_crls_ex(): Avoid doublefree if CRL up ref fails
X-Git-Tag: openssl-3.5.0-alpha1~841
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4b30d9c6d03ddc6e6f03708bc2c5528362cf03c;p=thirdparty%2Fopenssl.git

ossl_cms_get1_crls_ex(): Avoid doublefree if CRL up ref fails

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/26100)

(cherry picked from commit ef0be53f90045d0a9f0d085a7a4289335f49ee41)
---

diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index ede016dff0c..a115a3b9008 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -15,6 +15,7 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
 #include "internal/sizes.h"
+#include "internal/cryptlib.h"
 #include "crypto/x509.h"
 #include "cms_local.h"
 
@@ -696,8 +697,9 @@ int ossl_cms_get1_crls_ex(CMS_ContentInfo *cms, STACK_OF(X509_CRL) **crls)
     for (i = 0; i < n; i++) {
         rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i);
         if (rch->type == 0) {
-            if (!sk_X509_CRL_push(*crls, rch->d.crl)
-                    || !X509_CRL_up_ref(rch->d.crl)) {
+            if (!X509_CRL_up_ref(rch->d.crl)
+                || !ossl_assert(sk_X509_CRL_push(*crls, rch->d.crl))) {
+                /* push cannot fail on reserved stack */
                 sk_X509_CRL_pop_free(*crls, X509_CRL_free);
                 *crls = NULL;
                 return 0;