[release-branch.go1.11] crypto/x509: fix value ownership in isSSLPoli…

…cy on macOS CFDictionaryGetValueIfPresent does not take ownership of the value, so releasing the properties dictionary before passing the value to CFEqual can crash. Not really clear why this works most of the time. See https://developer.apple.com/library/archive/documentation/CoreFoundation/Conceptual/CFMemoryMgmt/Concepts/Ownership.html Fixes #32281 Updates #28092 Updates #30763 Change-Id: I5ee7ca276b753a48abc3aedfb78b8af68b448dd4 Reviewed-on: https://go-review.googlesource.com/c/go/+/178537 Reviewed-by: Adam Langley <[email protected]> (cherry picked from commit a3d4655) Reviewed-on: https://go-review.googlesource.com/c/go/+/179340 Run-TryBot: Dmitri Shuralyov <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
golang · Jun 7, 2019 · d497d80 · d497d80
1 parent efa061d
commit d497d80
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/crypto/x509/root_cgo_darwin.go b/src/crypto/x509/root_cgo_darwin.go
@@ -16,21 +16,21 @@ package x509
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 
-static bool isSSLPolicy(SecPolicyRef policyRef) {
+static Boolean isSSLPolicy(SecPolicyRef policyRef) {
 	if (!policyRef) {
 		return false;
 	}
 	CFDictionaryRef properties = SecPolicyCopyProperties(policyRef);
 	if (properties == NULL) {
 		return false;
 	}
+	Boolean isSSL = false;
 	CFTypeRef value = NULL;
 	if (CFDictionaryGetValueIfPresent(properties, kSecPolicyOid, (const void **)&value)) {
-		CFRelease(properties);
-		return CFEqual(value, kSecPolicyAppleSSL);
+		isSSL = CFEqual(value, kSecPolicyAppleSSL);
 	}
 	CFRelease(properties);
-	return false;
+	return isSSL;
 }
 
 // sslTrustSettingsResult obtains the final kSecTrustSettingsResult value