From b829dda57b4c8a44eff53682ed56492ad46ce3ad Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 23 Jan 2020 11:42:52 +0100 Subject: [PATCH] BUG/MINOR: ssl: increment issuer refcount if in chain When using the OCSP response, if the issuer of the response is in the certificate chain, its address will be stored in ckch->ocsp_issuer. However, since the ocsp_issuer could be filled by a separate file, this pointer is free'd. The refcount of the X509 need to be incremented to avoid a double free if we free the ocsp_issuer AND the chain. --- src/ssl_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 4ff051b9b..db9621b21 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3468,6 +3468,7 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c issuer = sk_X509_value(ckch->chain, i); if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) { ckch->ocsp_issuer = issuer; + X509_up_ref(ckch->ocsp_issuer); break; } else issuer = NULL;