Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[tls] Ensure received data list is initialised before calling tls_free()
A failure in tls_generate_random() will result in a call to ref_put()
before the received data list has been initialised, which will cause
free_tls() to attempt to traverse an uninitialised list.

Fix by ensuring that all fields referenced by free_tls() are
initialised before any of the potential failure paths.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Mar 23, 2018
1 parent eda9f4d commit ac4fbd4
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/net/tls.c
Expand Up @@ -2788,6 +2788,9 @@ int add_tls ( struct interface *xfer, const char *name,
tls_clear_cipher ( tls, &tls->rx_cipherspec );
tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
tls->client_random.gmt_unix_time = time ( NULL );
iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
sizeof ( tls->rx_header ) );
INIT_LIST_HEAD ( &tls->rx_data );
if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
goto err_random;
Expand All @@ -2797,9 +2800,6 @@ int add_tls ( struct interface *xfer, const char *name,
( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
goto err_random;
}
iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
sizeof ( tls->rx_header ) );
INIT_LIST_HEAD ( &tls->rx_data );

/* Start negotiation */
tls_restart ( tls );
Expand Down

0 comments on commit ac4fbd4

Please sign in to comment.