Fix use-after-free in error case.

author Carl Hetherington <cth@carlh.net>

Tue, 15 Aug 2023 10:33:33 +0000 (12:33 +0200)

committer Carl Hetherington <cth@carlh.net>

Tue, 15 Aug 2023 10:33:33 +0000 (12:33 +0200)
author Carl Hetherington <cth@carlh.net>
Tue, 15 Aug 2023 10:33:33 +0000 (12:33 +0200)
committer Carl Hetherington <cth@carlh.net>
Tue, 15 Aug 2023 10:33:33 +0000 (12:33 +0200)
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc

index 51f2ca6814d950214625015444cf331dfc69ed64..449dba89e7a07a0bfda61c4db9a66e1952122f48 100644 (file)
--- a/src/certificate_chain.cc
+++ b/src/certificate_chain.cc
@@ -471,16 +471,18 @@ CertificateChain::chain_valid(List const & chain, string* error) const
                 }
  
                 int const v = X509_verify_cert (ctx);
-               X509_STORE_CTX_free (ctx);
  
                 if (v != 1) {
                         X509_STORE_free (store);
                         if (error) {
                                 *error = X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx));
                         }
+                       X509_STORE_CTX_free(ctx);
                         return false;
                 }
  
+               X509_STORE_CTX_free(ctx);
+
                 /* I don't know why OpenSSL doesn't check this stuff
                    in verify_cert, but without these checks the
                    certificates_validation8 test fails.
author	Carl Hetherington <cth@carlh.net>
	Tue, 15 Aug 2023 10:33:33 +0000 (12:33 +0200)
committer	Carl Hetherington <cth@carlh.net>
	Tue, 15 Aug 2023 10:33:33 +0000 (12:33 +0200)