As long as X509_OBJECT_free_contents(3) is a public API function,

make sure it fully re-initializes the object rather than leaving
behind a stale pointer and a stale type in the object.

The old behaviour was dangerous because X509_OBJECT_get_type(3)
would then return the stale type to the user and one of
X509_OBJECT_get0_X509(3) or X509_OBJECT_get0_X509_CRL(3) would
then return the stale pointer to the user, provoking a use-after-free
bug in the application program.  Having these functions return
X509_LU_NONE and NULL is better because those are the documented
return values for these functions when the object is empty.

OK tb@

diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c
index dd04897..ca96edf 100644 (file)
--- a/lib/libcrypto/x509/x509_lu.c
+++ b/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.52 2021/11/07 15:52:38 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.53 2021/11/19 07:49:27 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -451,6 +451,8 @@ X509_OBJECT_free_contents(X509_OBJECT *a)
                X509_CRL_free(a->data.crl);
                break;
        }
+       memset(a, 0, sizeof(*a));
+       a->type = X509_LU_NONE;
 }
 
 static int