Check *_get_ex_data() and *_set_ex_data() return values.

Closes #3389. Thanks to Qingpeng Du.

Author: ralight

ChangeLog.txt

@@ -3,6 +3,10 @@
 
 Broker:
 - Fix handling of disconnected sessions for `per_listener_settings true`
+- Check return values of openssl *_get_ex_data() and *_set_ex_data() to
+  prevent possible crash. This could occur only in extremely unlikely
+  situations. See https://github.com/eclipse-mosquitto/mosquitto/issues/3389
+  Closes #3389.
 
 
 2.0.22 - 2025-07-11

lib/net_mosq.c

@@ -650,6 +650,8 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 	EVP_PKEY *pkey;
 #endif
 
+	net__init_tls();
+
 #ifndef WITH_BROKER
 	if(mosq->user_ssl_ctx){
 		mosq->ssl_ctx = mosq->user_ssl_ctx;
@@ -666,7 +668,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 	 * has not been set, or if both of MOSQ_OPT_SSL_CTX and
 	 * MOSQ_OPT_SSL_CTX_WITH_DEFAULTS are set. */
 	if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk || mosq->tls_use_os_certs){
-		net__init_tls();
 		if(!mosq->ssl_ctx){
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -881,7 +882,11 @@ int net__socket_connect_step3(struct mosquitto *mosq, const char *host)
 			return MOSQ_ERR_TLS;
 		}
 
-		SSL_set_ex_data(mosq->ssl, tls_ex_index_mosq, mosq);
+		if(!SSL_set_ex_data(mosq->ssl, tls_ex_index_mosq, mosq)){
+			net__socket_close(mosq);
+			net__print_ssl_error(mosq);
+			return MOSQ_ERR_TLS;
+		}
 		bio = BIO_new_socket(mosq->sock, BIO_NOCLOSE);
 		if(!bio){
 			net__socket_close(mosq);

lib/tls_mosq.c

@@ -55,6 +55,7 @@ int mosquitto__server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
 	if(!preverify_ok) return 0;
 
 	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+	if(!ssl) return 0;
 	mosq = SSL_get_ex_data(ssl, tls_ex_index_mosq);
 	if(!mosq) return 0;
 

src/net.c

@@ -211,8 +211,11 @@ struct mosquitto *net__socket_accept(struct mosquitto__listener_sock *listensock
 			context__cleanup(new_context, true);
 			return NULL;
 		}
-		SSL_set_ex_data(new_context->ssl, tls_ex_index_context, new_context);
-		SSL_set_ex_data(new_context->ssl, tls_ex_index_listener, new_context->listener);
+		if(!SSL_set_ex_data(new_context->ssl, tls_ex_index_context, new_context)
+				|| !SSL_set_ex_data(new_context->ssl, tls_ex_index_listener, new_context->listener)){
+			context__cleanup(new_context, true);
+			return NULL;
+		}
 		new_context->want_write = true;
 		bio = BIO_new_socket(new_sock, BIO_NOCLOSE);
 		SSL_set_bio(new_context->ssl, bio, bio);
@@ -321,6 +324,13 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 	FILE *dhparamfile;
 	DH *dhparam = NULL;
 
+	if(tls_ex_index_context == -1){
+		tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
+	}
+	if(tls_ex_index_listener == -1){
+		tls_ex_index_listener = SSL_get_ex_new_index(0, "listener", NULL, NULL, NULL);
+	}
+
 	if(listener->ssl_ctx){
 		SSL_CTX_free(listener->ssl_ctx);
 	}
@@ -918,13 +928,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
 		}
 #  ifdef FINAL_WITH_TLS_PSK
 		if(listener->psk_hint){
-			if(tls_ex_index_context == -1){
-				tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
-			}
-			if(tls_ex_index_listener == -1){
-				tls_ex_index_listener = SSL_get_ex_new_index(0, "listener", NULL, NULL, NULL);
-			}
-
 			if(listener->certfile == NULL || listener->keyfile == NULL){
 				if(net__tls_server_ctx(listener)){
 					return 1;