crypto: fix use-after-free risk in ManagedX509 assignment

omghante · omghante · commit 9da6f80c84de · 2026-04-15T04:53:35.000+05:30
Fixes a potential double-free issue where ManagedX509::operator= resets the underlying smart pointer using a raw pointer from another instance before incrementing the reference count. If both instances were managing the same underlying OpenSSL object, the reset could decrement the reference count to 0 and free the object before the reference count could be incremented. This fixes Coverity issue 367349 where different smart pointers were seemingly managing the same raw pointer. Fixes: #56926
diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
@@ -59,9 +59,12 @@ ManagedX509::ManagedX509(const ManagedX509& that) {
 }
 
 ManagedX509& ManagedX509::operator=(const ManagedX509& that) {
-  cert_.reset(that.get());
-  if (cert_) [[likely]]
-    X509_up_ref(cert_.get());
+  if (this == &that) return *this;
+
+  X509* cert = that.get();
+  if (cert) [[likely]]
+    X509_up_ref(cert);
+  cert_.reset(cert);
   return *this;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -59,9 +59,12 @@ ManagedX509::ManagedX509(const ManagedX509& that) {`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`ManagedX509& ManagedX509::operator=(const ManagedX509& that) {`
`62`		`- cert_.reset(that.get());`
`63`		`- if (cert_) [[likely]]`
`64`		`- X509_up_ref(cert_.get());`
	`62`	`+ if (this == &that) return *this;`
	`63`	`+`
	`64`	`+ X509* cert = that.get();`
	`65`	`+ if (cert) [[likely]]`
	`66`	`+ X509_up_ref(cert);`
	`67`	`+ cert_.reset(cert);`
`65`	`68`	`return *this;`
`66`	`69`	`}`
`67`	`70`