From 63ae8476796510c15163c9bd18998ccef6c1de16 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Thu, 11 Feb 2021 16:10:50 -0800 Subject: [PATCH] x509_vfy: remove redundant stack allocation Fix CID 1472833 by removing a codepath that attempts to allocate a stack if not already allocated, when the stack was already allocated unconditionally a few lines previously. Interestingly enough, this additional allocation path (and the comment describing the need for it) were added in commit 69664d6af0cdd7738f55d10fbbe46cdf15f72e0e, also prompted by Coverity(!). It seems that the intervening (and much more recent) commit d53b437f9992f974c1623e9b9b9bdf053aefbcc3 that allowed sk_X509_dup() to accept a NULL argument allowed the earlier initialization path to unconditionally allocate a stack, rendering this later allocation fully redundant. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14161) --- crypto/x509/x509_vfy.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 58598bbf1f3..4e192abec4b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3033,17 +3033,9 @@ static int build_chain(X509_STORE_CTX *ctx) /* * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add - * them to our working copy of the untrusted certificate stack. Since the - * caller of X509_STORE_CTX_init() may have provided only a leaf cert with - * no corresponding stack of untrusted certificates, we may need to create - * an empty stack first. [ At present only the ssl library provides DANE - * support, and ssl_verify_cert_chain() always provides a non-null stack - * containing at least the leaf certificate, but we must be prepared for - * this to change. ] + * them to our working copy of the untrusted certificate stack. */ if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) - goto memerr; if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { sk_X509_free(sk_untrusted); goto memerr; -- 2.47.2