Fix potential double-free

The `sk` variable is assigned to `s->session->peer_chain`. If `ssl3_digest_cached_records()` were to fail, then `sk` would still be non-NULL, and subsequently freed on the error return. When the session is freed, it will then attempt to free `s->session->peer_chain`, resulting in a double-free (of `sk`). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16309) (cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)
author: Todd Short <tshort@akamai.com> 2021-08-13 09:59:59 -0400
committer: Tomas Mraz <tomas@openssl.org> 2021-08-16 12:57:15 +0200
commit: 75a4f263ba9d3ec1e9d55ca5024aee62aec70475 (patch)
tree: bbcfc39b41acf2fbe0d907cc2bd4be1104476682 /ssl
parent: 33e8f03e98acdf3c505b2ee82dd7e595d11e3b6f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 30d20f1297..d701c46b43 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
 
     sk_X509_pop_free(s->session->peer_chain, X509_free);
     s->session->peer_chain = sk;
+    sk = NULL;
 
     /*
      * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
@@ -3767,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
      * Inconsistency alert: cert_chain does *not* include the peer's own
      * certificate, while we do include it in statem_clnt.c
      */
-    sk = NULL;
 
     /* Save the current hash state for when we receive the CertificateVerify */
     if (SSL_IS_TLS13(s)) {
author	Todd Short <tshort@akamai.com>	2021-08-13 09:59:59 -0400
committer	Tomas Mraz <tomas@openssl.org>	2021-08-16 12:57:15 +0200
commit	75a4f263ba9d3ec1e9d55ca5024aee62aec70475 (patch)
tree	bbcfc39b41acf2fbe0d907cc2bd4be1104476682 /ssl
parent	33e8f03e98acdf3c505b2ee82dd7e595d11e3b6f (diff)