apps/cmp.c: fix cleanup of CMP_CTX vs. APP_HTTP_TLS_INFO in its http_cb_arg field

Prevent crashes on error by making sure the info is freed after OSSL_CMP_CTX_free(), which may call OSSL_HTTP_close() and thus indirectly reference the info. Moreover, should not attempt to reference the cmp_ctx variable when NULL. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18702)
2022-07-01 20:38:59 +02:00 · 2022-07-01 20:38:59 +02:00 · 8c094747d7
parent 93d9d60976
commit 8c094747d7
1 changed files with 11 additions and 5 deletions
--- a/apps/cmp.c
+++ b/apps/cmp.c
@ -1942,7 +1942,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
        if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
            goto err;
        (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
-        /* info will be freed along with CMP ctx */
        info->server = opt_server;
        info->port = server_port;
        /* workaround for callback design flaw, see #17088: */
@ -3035,12 +3034,19 @@ int cmp_main(int argc, char **argv)
    if (ret != 1)
        OSSL_CMP_CTX_print_errors(cmp_ctx);

-    ossl_cmp_mock_srv_free(OSSL_CMP_CTX_get_transfer_cb_arg(cmp_ctx));
+    if (cmp_ctx != NULL) {
 #ifndef OPENSSL_NO_SOCK
-    APP_HTTP_TLS_INFO_free(OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx));
+        APP_HTTP_TLS_INFO *info = OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx);
+
 #endif
-    X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx));
-    OSSL_CMP_CTX_free(cmp_ctx);
+        ossl_cmp_mock_srv_free(OSSL_CMP_CTX_get_transfer_cb_arg(cmp_ctx));
+        X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx));
+        /* cannot free info already here, as it may be used indirectly by: */
+        OSSL_CMP_CTX_free(cmp_ctx);
+#ifndef OPENSSL_NO_SOCK
+        APP_HTTP_TLS_INFO_free(info);
+#endif
+    }
    X509_VERIFY_PARAM_free(vpm);
    release_engine(engine);