From: Michael Brown <mcb30@ipxe.org>
Date: Mon, 31 Mar 2025 16:44:59 +0000 (+0100)
Subject: [x509] Ensure certificate remains valid during x509_append()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a48bb32145ce14b11d5d1e2a537d3d567489385;p=thirdparty%2Fipxe.git

[x509] Ensure certificate remains valid during x509_append()

The allocation of memory for the certificate chain link may cause the
certificate itself to be freed by the cache discarder, if the only
current reference to the certificate is held by the certificate store
and the system runs out of memory during the call to malloc().

Ensure that this cannot happen by taking out a temporary additional
reference to the certificate within x509_append(), rather than
requiring the caller to do so.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index acb27411a..10bc6369a 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1634,11 +1634,17 @@ struct x509_chain * x509_alloc_chain ( void ) {
  */
 int x509_append ( struct x509_chain *chain, struct x509_certificate *cert ) {
 	struct x509_link *link;
+	int rc;
+
+	/* Ensure allocation of link cannot invalidate certificate */
+	x509_get ( cert );
 
 	/* Allocate link */
 	link = zalloc ( sizeof ( *link ) );
-	if ( ! link )
-		return -ENOMEM;
+	if ( ! link ) {
+		rc = -ENOMEM;
+		goto err_alloc;
+	}
 
 	/* Add link to chain */
 	link->cert = x509_get ( cert );
@@ -1646,7 +1652,12 @@ int x509_append ( struct x509_chain *chain, struct x509_certificate *cert ) {
 	DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
 	       chain, cert, x509_name ( cert ) );
 
-	return 0;
+	/* Success */
+	rc = 0;
+
+	x509_put ( cert );
+ err_alloc:
+	return rc;
 }
 
 /**
diff --git a/src/net/tls.c b/src/net/tls.c
index 4c135f090..643b9292d 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2470,9 +2470,6 @@ static int tls_new_certificate_request ( struct tls_connection *tls,
 	/* Determine client certificate to be sent, if any */
 	cert = x509_find_key ( NULL, tls->client.key );
 	if ( cert ) {
-
-		/* Get temporary reference to certificate */
-		x509_get ( cert );
 		DBGC ( tls, "TLS %p selected client certificate %s\n",
 		       tls, x509_name ( cert ) );
 
@@ -2491,14 +2488,10 @@ static int tls_new_certificate_request ( struct tls_connection *tls,
 		       "to private key\n", tls );
 	}
 
-	/* Drop local reference (if any) to client certificate */
-	x509_put ( cert );
-
 	return 0;
 
  err_auto_append:
  err_append:
-	x509_put ( cert );
 	x509_chain_put ( tls->client.chain );
 	tls->client.chain = NULL;
  err_alloc: