From: Pauli <ppzgs1@gmail.com>
Date: Wed, 3 Feb 2021 07:47:38 +0000 (+1000)
Subject: Fix a use after free issue when a provider context is being used and isn't cached
X-Git-Tag: openssl-3.0.0-alpha12~146
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8549b97214ce1b4ba61eae893c80d9b0ed7e35f0;p=thirdparty%2Fopenssl.git

Fix a use after free issue when a provider context is being used and isn't cached

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14053)
---

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 46f4d201d99..e89b591978f 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -25,12 +25,8 @@
 
 void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force)
 {
-    EVP_MD_free(ctx->fetched_digest);
-    ctx->fetched_digest = NULL;
-    ctx->reqdigest = NULL;
-
     if (ctx->provctx != NULL) {
-        if (ctx->digest->freectx != NULL)
+        if (ctx->digest != NULL && ctx->digest->freectx != NULL)
             ctx->digest->freectx(ctx->provctx);
         ctx->provctx = NULL;
         EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
@@ -55,6 +51,11 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force)
     ENGINE_finish(ctx->engine);
     ctx->engine = NULL;
 #endif
+
+    /* Non legacy code, this has to be later than the ctx->digest cleaning */
+    EVP_MD_free(ctx->fetched_digest);
+    ctx->fetched_digest = NULL;
+    ctx->reqdigest = NULL;
 }
 
 /* This call frees resources associated with the context */