Fix a crash in reuse of d2i_X509_PUBKEY

author Bernd Edlinger <bernd.edlinger@hotmail.de>

Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)

committer Bernd Edlinger <bernd.edlinger@hotmail.de>

Thu, 31 Jan 2019 19:03:29 +0000 (20:03 +0100)
author Bernd Edlinger <bernd.edlinger@hotmail.de>
Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)
committer Bernd Edlinger <bernd.edlinger@hotmail.de>
Thu, 31 Jan 2019 19:03:29 +0000 (20:03 +0100)
diff --git a/CHANGES b/CHANGES

index b810a1293619ba835654a7277f3464d630707144..d6342524f7b3fc0692b02f1fcdc0a21956806126 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
  
   Changes between 1.1.0j and 1.1.0k [xx XXX xxxx]
  
+  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+     re-used X509_PUBKEY object if the second PUBKEY is malformed.
+     [Bernd Edlinger]
+
    *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
       [Richard Levitte]
  
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c

index cc692834d1fa8a951151e1fe5f51316fb6674c78..03271cbe97c5b19a2765ff638dd8e95bbaf5f185 100644 (file)
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
          /* Attempt to decode public key and cache in pubkey structure. */
          X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
          EVP_PKEY_free(pubkey->pkey);
+        pubkey->pkey = NULL;
          /*
           * Opportunistically decode the key but remove any non fatal errors
           * from the queue. Subsequent explicit attempts to decode/use the key
author	Bernd Edlinger <bernd.edlinger@hotmail.de>
	Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>
	Thu, 31 Jan 2019 19:03:29 +0000 (20:03 +0100)
CHANGES		patch \| blob \| history
crypto/x509/x_pubkey.c		patch \| blob \| history