From: Steffan Karger <steffan@karger.me>
Date: Sun, 7 Oct 2018 10:00:32 +0000 (+0200)
Subject: Fix use-after-free in tls_ctx_use_management_external_key
X-Git-Tag: v2.5_beta1~420
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68e0b9db253ff0437047d6a5377eeec6002873f8;p=thirdparty%2Fopenvpn.git

Fix use-after-free in tls_ctx_use_management_external_key

Commit 98bfeeb4 changed our openssl backend implementation of
tls_ctx_use_management_external_key() to no longer use
tls_ctx_load_cert_file_and_copy(), but still free'd 'cert'. Which it no
longer should do. Credits go to Arne for spotting the issue (even though
it was missed during the review).

The offending commit is only recently applied to the master branch, so was
never part of a OpenVPN release. For that reason I did not do full impact
analysis.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20181007100032.17060-1-steffan@karger.me>
URL: https://www.mail-archive.com/search?l=mid&q=20181007100032.17060-1-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 9777b86a8..1a66d1788 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1296,7 +1296,6 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
     /* get the public key */
     EVP_PKEY *pkey = X509_get0_pubkey(cert);
     ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
-    X509_free(cert);
 
     if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
     {