Bladeren bron

[tls] Ensure received data list is initialised before calling tls_free()

A failure in tls_generate_random() will result in a call to ref_put()
before the received data list has been initialised, which will cause
free_tls() to attempt to traverse an uninitialised list.

Fix by ensuring that all fields referenced by free_tls() are
initialised before any of the potential failure paths.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 6 jaren geleden
bovenliggende
commit
ac4fbd47ae
1 gewijzigde bestanden met toevoegingen van 3 en 3 verwijderingen
  1. 3
    3
      src/net/tls.c

+ 3
- 3
src/net/tls.c Bestand weergeven

@@ -2788,6 +2788,9 @@ int add_tls ( struct interface *xfer, const char *name,
2788 2788
 	tls_clear_cipher ( tls, &tls->rx_cipherspec );
2789 2789
 	tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
2790 2790
 	tls->client_random.gmt_unix_time = time ( NULL );
2791
+	iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
2792
+		       sizeof ( tls->rx_header ) );
2793
+	INIT_LIST_HEAD ( &tls->rx_data );
2791 2794
 	if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
2792 2795
 			  ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
2793 2796
 		goto err_random;
@@ -2797,9 +2800,6 @@ int add_tls ( struct interface *xfer, const char *name,
2797 2800
 		      ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
2798 2801
 		goto err_random;
2799 2802
 	}
2800
-	iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
2801
-		       sizeof ( tls->rx_header ) );
2802
-	INIT_LIST_HEAD ( &tls->rx_data );
2803 2803
 
2804 2804
 	/* Start negotiation */
2805 2805
 	tls_restart ( tls );

Laden…
Annuleren
Opslaan