[x509] Ensure certificate remains valid during x509_append()

The allocation of memory for the certificate chain link may cause the certificate itself to be freed by the cache discarder, if the only current reference to the certificate is held by the certificate store and the system runs out of memory during the call to malloc(). Ensure that this cannot happen by taking out a temporary additional reference to the certificate within x509_append(), rather than requiring the caller to do so. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-04-04 03:00:20 +03:00 · 2025-03-31 17:44:59 +01:00
parent a289b4b8c2
commit 0a48bb3214
2 changed files with 14 additions and 10 deletions
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2470,9 +2470,6 @@ static int tls_new_certificate_request ( struct tls_connection *tls,
 	/* Determine client certificate to be sent, if any */
 	cert = x509_find_key ( NULL, tls->client.key );
 	if ( cert ) {
-
-		/* Get temporary reference to certificate */
-		x509_get ( cert );
 		DBGC ( tls, "TLS %p selected client certificate %s\n",
 		       tls, x509_name ( cert ) );

@@ -2491,14 +2488,10 @@ static int tls_new_certificate_request ( struct tls_connection *tls,
 		       "to private key\n", tls );
 	}

-	/* Drop local reference (if any) to client certificate */
-	x509_put ( cert );
-
 	return 0;

 err_auto_append:
 err_append:
-	x509_put ( cert );
 	x509_chain_put ( tls->client.chain );
 	tls->client.chain = NULL;
 err_alloc: