diff options
author | Matt Caswell <matt@openssl.org> | 2015-03-19 10:16:32 +0000 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-22 00:41:40 +0200 |
commit | 843e826def0aa23258690c39aa03fc2862516842 (patch) | |
tree | 155e7d2a124b5e34dc6e5561b28e912cdd239cba | |
parent | 46211383efeca9935db7ea6e796a2d2b90a1438b (diff) | |
download | replicant_openssl-843e826def0aa23258690c39aa03fc2862516842.zip replicant_openssl-843e826def0aa23258690c39aa03fc2862516842.tar.gz replicant_openssl-843e826def0aa23258690c39aa03fc2862516842.tar.bz2 |
Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | crypto/asn1/x_x509.c | 12 | ||||
-rw-r--r-- | crypto/ec/ec_asn1.c | 7 |
2 files changed, 16 insertions, 3 deletions
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index de3df9e..8b74d02 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) { const unsigned char *q; X509 *ret; + int freeret = 0; + /* Save start position */ q = *pp; + + if(!a || *a == NULL) { + freeret = 1; + } ret = d2i_X509(a, pp, length); /* If certificate unreadable then forget it */ if(!ret) return NULL; @@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err; return ret; err: - X509_free(ret); + if(freeret) { + X509_free(ret); + if (a) + *a = NULL; + } return NULL; } diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 175eec5..ccd1ecd 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE); return NULL; } - if (a) - *a = ret; } else ret = *a; @@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) if (!d2i_ECPKParameters(&ret->group, in, len)) { ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB); + if (a == NULL || *a != ret) + EC_KEY_free(ret); return NULL; } + if (a) + *a = ret; + return ret; } |