Fix a possible use-after-free in custom_exts_free

This may happen when ssl_cert_dup calls custom_exts_copy, where a possible memory allocation error causes custom_exts_free to be called twice: once in the error handling of custom_exts_copy and a second time in the error handling of ssl_cert_dup. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22772) (cherry picked from commit bc0773bbbd4d3ace6957385f1f22a5cda25dc94f)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2023-11-20 10:05:49 +0100
committer: Richard Levitte <levitte@openssl.org> 2023-11-22 09:36:28 +0100
commit: 54e178640dee143742a11842469591dc315d5b5f (patch)
tree: 8ecb8faacf0f9b81f22f0b2d26aee62ea8f2a55e
parent: 757d6491ebebc541f54c0aa8043b8e5b31a58a7e (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index 7c049d2970..fd840e8918 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -342,6 +342,8 @@ void custom_exts_free(custom_ext_methods *exts)
         OPENSSL_free(meth->parse_arg);
     }
     OPENSSL_free(exts->meths);
+    exts->meths = NULL;
+    exts->meths_count = 0;
 }
 
 /* Return true if a client custom extension exists, false otherwise */
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2023-11-20 10:05:49 +0100
committer	Richard Levitte <levitte@openssl.org>	2023-11-22 09:36:28 +0100
commit	54e178640dee143742a11842469591dc315d5b5f (patch)
tree	8ecb8faacf0f9b81f22f0b2d26aee62ea8f2a55e
parent	757d6491ebebc541f54c0aa8043b8e5b31a58a7e (diff)