From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Mon, 20 Nov 2023 09:05:49 +0000 (+0100)
Subject: Fix a possible use-after-free in custom_exts_free
X-Git-Tag: openssl-3.3.0-alpha1~600
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc0773bbbd4d3ace6957385f1f22a5cda25dc94f;p=thirdparty%2Fopenssl.git

Fix a possible use-after-free in custom_exts_free

This may happen when ssl_cert_dup calls custom_exts_copy, where
a possible memory allocation error causes custom_exts_free
to be called twice: once in the error handling of custom_exts_copy
and a second time in the error handling of ssl_cert_dup.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22772)
---

diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index 7c049d29707..fd840e8918e 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -342,6 +342,8 @@ void custom_exts_free(custom_ext_methods *exts)
         OPENSSL_free(meth->parse_arg);
     }
     OPENSSL_free(exts->meths);
+    exts->meths = NULL;
+    exts->meths_count = 0;
 }
 
 /* Return true if a client custom extension exists, false otherwise */