The branch openssl-3.0 has been updated via c526c510fadc0e25a93c1069b7362f1feab5ab28 (commit) from 1d02ce4f3793e51d16d1653c562d051755e24ee2 (commit)
- Log ----------------------------------------------------------------- commit c526c510fadc0e25a93c1069b7362f1feab5ab28 Author: Tomas Mraz <to...@openssl.org> Date: Thu Dec 16 16:24:44 2021 +0100 ossl_provider_add_to_store: Avoid use-after-free Avoid freeing a provider that was not up-ref-ed before. Fixes #17292 Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17295) (cherry picked from commit 33df7cbe5e38feb0cf962386bcac061c3743ecf2) ----------------------------------------------------------------------- Summary of changes: crypto/provider_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index cb4c07c781..bc61239957 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -603,6 +603,9 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, OSSL_PROVIDER tmpl = { 0, }; OSSL_PROVIDER *actualtmp = NULL; + if (actualprov != NULL) + *actualprov = NULL; + if ((store = get_provider_store(prov->libctx)) == NULL) return 0; @@ -659,7 +662,7 @@ int ossl_provider_add_to_store(OSSL_PROVIDER *prov, OSSL_PROVIDER **actualprov, err: CRYPTO_THREAD_unlock(store->lock); if (actualprov != NULL) - ossl_provider_free(actualtmp); + ossl_provider_free(*actualprov); return 0; }