apps/cmp.c and APP_HTTP_TLS_INFO: Fix use-after-free and add proper free() function

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14971)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-04-21 13:28:00 +0200
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-04-22 20:39:00 +0200
commit: ef203432f7b551382216e9aa7de00039e6d45ac0 (patch)
tree: 29a89425afc407737375cc58858cc200b35f1968 /apps
parent: 078fa35c7bd7e7392b07e032297a341fef695c42 (diff)
3 files changed, 16 insertions, 14 deletions
diff --git a/apps/cmp.c b/apps/cmp.c
index da28c3215e..1fbf10c4a4 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2851,15 +2851,7 @@ int cmp_main(int argc, char **argv)
         OSSL_CMP_CTX_print_errors(cmp_ctx);
 
     ossl_cmp_mock_srv_free(OSSL_CMP_CTX_get_transfer_cb_arg(cmp_ctx));
-    {
-        APP_HTTP_TLS_INFO *http_tls_info =
-            OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx);
-
-        if (http_tls_info != NULL) {
-            SSL_CTX_free(http_tls_info->ssl_ctx);
-            OPENSSL_free(http_tls_info);
-        }
-    }
+    APP_HTTP_TLS_INFO_free(OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx));
     X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx));
     OSSL_CMP_CTX_free(cmp_ctx);
     X509_VERIFY_PARAM_free(vpm);
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 2709b0ccaf..2d102246f8 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -271,6 +271,7 @@ typedef struct app_http_tls_info_st {
 } APP_HTTP_TLS_INFO;
 BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
                      int connect, int detail);
+void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info);
 # ifndef OPENSSL_NO_SOCK
 ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
                               const char *no_proxy, SSL_CTX *ssl_ctx,
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 7eadf5a4b5..e39e7cd061 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2392,12 +2392,12 @@ static const char *tls_error_hint(void)
 /* HTTP callback function that supports TLS connection also via HTTPS proxy */
 BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
 {
-    APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
-    SSL_CTX *ssl_ctx = info->ssl_ctx;
-    SSL *ssl;
-    BIO *sbio = NULL;
-
     if (connect && detail) { /* connecting with TLS */
+        APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
+        SSL_CTX *ssl_ctx = info->ssl_ctx;
+        SSL *ssl;
+        BIO *sbio = NULL;
+
         if ((info->use_proxy
              && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port,
                                          NULL, NULL, /* no proxy credentials */
@@ -2418,6 +2418,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
         hbio = BIO_push(sbio, hbio);
     } else if (!connect && !detail) { /* disconnecting after error */
         const char *hint = tls_error_hint();
+
         if (hint != NULL)
             ERR_add_error_data(2, " : ", hint);
         /*
@@ -2428,6 +2429,14 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
     return hbio;
 }
 
+void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info)
+{
+    if (info != NULL) {
+        SSL_CTX_free(info->ssl_ctx);
+        OPENSSL_free(info);
+    }
+}
+
 ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
                               const char *no_proxy, SSL_CTX *ssl_ctx,
                               const STACK_OF(CONF_VALUE) *headers,
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-04-21 13:28:00 +0200
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-04-22 20:39:00 +0200
commit	ef203432f7b551382216e9aa7de00039e6d45ac0 (patch)
tree	29a89425afc407737375cc58858cc200b35f1968 /apps
parent	078fa35c7bd7e7392b07e032297a341fef695c42 (diff)