summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2015-02-09 11:38:41 +0000
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-10-22 01:10:47 +0200
commit18c7b49354bd72fdafa77b6b6dbb3b3d3e8a9ae6 (patch)
treeb771ae8d22b7c00f6fdfc2621592e3a205039760
parent7448dd4ce976a92739463f5b5b1649a4bf8037cc (diff)
downloadreplicant_openssl-18c7b49354bd72fdafa77b6b6dbb3b3d3e8a9ae6.zip
replicant_openssl-18c7b49354bd72fdafa77b6b6dbb3b3d3e8a9ae6.tar.gz
replicant_openssl-18c7b49354bd72fdafa77b6b6dbb3b3d3e8a9ae6.tar.bz2
Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org> CVE-2015-0209 Reviewed-by: Emilia Käsper <emilia@openssl.org>
-rw-r--r--crypto/ec/ec_asn1.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index ccd1ecd..1f27781 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (a)
- *a = ret;
}
else
ret = *a;
@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
}
}
+ if (a)
+ *a = ret;
ok = 1;
err:
if (!ok)
{
- if (ret)
+ if (ret && (a == NULL || *a != ret))
EC_KEY_free(ret);
ret = NULL;
}