From ac4fbd47aea136185e17975bd68c268bf0cc081e Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 23 Mar 2018 11:07:29 +0000 Subject: [tls] Ensure received data list is initialised before calling tls_free() A failure in tls_generate_random() will result in a call to ref_put() before the received data list has been initialised, which will cause free_tls() to attempt to traverse an uninitialised list. Fix by ensuring that all fields referenced by free_tls() are initialised before any of the potential failure paths. Signed-off-by: Michael Brown --- src/net/tls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/net/tls.c b/src/net/tls.c index b197c111..329c6fe0 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -2788,6 +2788,9 @@ int add_tls ( struct interface *xfer, const char *name, tls_clear_cipher ( tls, &tls->rx_cipherspec ); tls_clear_cipher ( tls, &tls->rx_cipherspec_pending ); tls->client_random.gmt_unix_time = time ( NULL ); + iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0, + sizeof ( tls->rx_header ) ); + INIT_LIST_HEAD ( &tls->rx_data ); if ( ( rc = tls_generate_random ( tls, &tls->client_random.random, ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) { goto err_random; @@ -2797,9 +2800,6 @@ int add_tls ( struct interface *xfer, const char *name, ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) { goto err_random; } - iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0, - sizeof ( tls->rx_header ) ); - INIT_LIST_HEAD ( &tls->rx_data ); /* Start negotiation */ tls_restart ( tls ); -- cgit v1.2.3-55-g7522