[tls] Ensure received data list is initialised before calling tls_free()

A failure in tls_generate_random() will result in a call to ref_put()
before the received data list has been initialised, which will cause
free_tls() to attempt to traverse an uninitialised list.

Fix by ensuring that all fields referenced by free_tls() are
initialised before any of the potential failure paths.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/tls.c b/src/net/tls.c
index b197c111f8a121b7be92fec491a2dfe4aa61826a..329c6fe000d54fdfe77028a24eeeb5510f773fe7 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2788,6 +2788,9 @@ int add_tls ( struct interface *xfer, const char *name,
        tls_clear_cipher ( tls, &tls->rx_cipherspec );
        tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
        tls->client_random.gmt_unix_time = time ( NULL );
+       iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
+                      sizeof ( tls->rx_header ) );
+       INIT_LIST_HEAD ( &tls->rx_data );
        if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
                          ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
                goto err_random;
@@ -2797,9 +2800,6 @@ int add_tls ( struct interface *xfer, const char *name,
                      ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
                goto err_random;
        }
-       iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
-                      sizeof ( tls->rx_header ) );
-       INIT_LIST_HEAD ( &tls->rx_data );
 
        /* Start negotiation */
        tls_restart ( tls );