From 1ecb4854420873b81260e82cb317673609053858 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 21 Mar 2021 16:56:42 +0000
Subject: Avoid a use-after-scope in tls13_cert_add().

A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.

Reported by Ilya Shipitsin.

ok tb@
---
 src/lib/libssl/tls13_lib.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 72c7708d91..0b3f636b93 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.56 2021/01/05 17:47:35 tb Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.57 2021/03/21 16:56:42 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -429,9 +429,9 @@ tls13_ctx_free(struct tls13_ctx *ctx)
 
 int
 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
+    int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
 {
-	CBB cert_data;
+	CBB cert_data, cert_exts;
 	uint8_t *data;
 	int cert_len;
 
@@ -448,7 +448,6 @@ tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
 		if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
 			return 0;
 	} else {
-		CBB cert_exts;
 		if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
 			return 0;
 	}
-- 
cgit v1.2.3-55-g6feb