openssl/backport-Fix-potential-double-free.patch

From 75a4f263ba9d3ec1e9d55ca5024aee62aec70475 Mon Sep 17 00:00:00 2001
From: Todd Short <tshort@akamai.com>
Date: Fri, 13 Aug 2021 09:59:59 -0400
Subject: [PATCH] Fix potential double-free

The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16309)

(cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)
---
 ssl/statem/statem_srvr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 30d20f1297..d701c46b43 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
 
     sk_X509_pop_free(s->session->peer_chain, X509_free);
     s->session->peer_chain = sk;
+    sk = NULL;
 
     /*
      * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
@@ -3767,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
      * Inconsistency alert: cert_chain does *not* include the peer's own
      * certificate, while we do include it in statem_clnt.c
      */
-    sk = NULL;
 
     /* Save the current hash state for when we receive the CertificateVerify */
     if (SSL_IS_TLS13(s)) {
--
backport upstream patches 2021-12-25 18:00:50 +08:00			`From 75a4f263ba9d3ec1e9d55ca5024aee62aec70475 Mon Sep 17 00:00:00 2001`
			`From: Todd Short <tshort@akamai.com>`
			`Date: Fri, 13 Aug 2021 09:59:59 -0400`
			`Subject: [PATCH] Fix potential double-free`

			The `sk` variable is assigned to `s->session->peer_chain`.
			If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
			`non-NULL, and subsequently freed on the error return. When the session`
			is freed, it will then attempt to free `s->session->peer_chain`,
			resulting in a double-free (of `sk`).

			`Reviewed-by: Matt Caswell <matt@openssl.org>`
			`Reviewed-by: Tomas Mraz <tomas@openssl.org>`
			`(Merged from https://github.com/openssl/openssl/pull/16309)`

			`(cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)`
			`---`
			`ssl/statem/statem_srvr.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c`
			`index 30d20f1297..d701c46b43 100644`
			`--- a/ssl/statem/statem_srvr.c`
			`+++ b/ssl/statem/statem_srvr.c`
			`@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL s, PACKET pkt)`

			`sk_X509_pop_free(s->session->peer_chain, X509_free);`
			`s->session->peer_chain = sk;`
			`+ sk = NULL;`

			`/*`
			`* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE`
			`@@ -3767,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL s, PACKET pkt)`
			`* Inconsistency alert: cert_chain does not include the peer's own`
			`* certificate, while we do include it in statem_clnt.c`
			`*/`
			`- sk = NULL;`

			`/* Save the current hash state for when we receive the CertificateVerify */`
			`if (SSL_IS_TLS13(s)) {`
			`--`