diff options
| author | Benjamin Kaduk <bkaduk@akamai.com> | 2021-02-11 16:10:50 -0800 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2021-02-15 14:08:28 +1000 |
| commit | 63ae8476796510c15163c9bd18998ccef6c1de16 (patch) | |
| tree | ee05d6cdfbb84bb22f1fe83a15f1f7d25867a0f5 /crypto | |
| parent | 99c166a1b0408e6d5c6efdc402fa859652048751 (diff) | |
x509_vfy: remove redundant stack allocation
Fix CID 1472833 by removing a codepath that attempts to allocate a
stack if not already allocated, when the stack was already allocated
unconditionally a few lines previously.
Interestingly enough, this additional allocation path (and the comment
describing the need for it) were added in commit
69664d6af0cdd7738f55d10fbbe46cdf15f72e0e, also prompted by Coverity(!).
It seems that the intervening (and much more recent) commit
d53b437f9992f974c1623e9b9b9bdf053aefbcc3 that allowed sk_X509_dup()
to accept a NULL argument allowed the earlier initialization path
to unconditionally allocate a stack, rendering this later allocation fully
redundant.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14161)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 10 |
1 files changed, 1 insertions, 9 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 58598bbf1f..4e192abec4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3033,17 +3033,9 @@ static int build_chain(X509_STORE_CTX *ctx) /* * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add - * them to our working copy of the untrusted certificate stack. Since the - * caller of X509_STORE_CTX_init() may have provided only a leaf cert with - * no corresponding stack of untrusted certificates, we may need to create - * an empty stack first. [ At present only the ssl library provides DANE - * support, and ssl_verify_cert_chain() always provides a non-null stack - * containing at least the leaf certificate, but we must be prepared for - * this to change. ] + * them to our working copy of the untrusted certificate stack. */ if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) - goto memerr; if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { sk_X509_free(sk_untrusted); goto memerr; |