Fix a NULL ptr deref in error path in tls_process_cke_dhe()

author Matt Caswell <matt@openssl.org>

Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)

committer Matt Caswell <matt@openssl.org>

Mon, 2 Jul 2018 13:52:43 +0000 (14:52 +0100)
author Matt Caswell <matt@openssl.org>
Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)
committer Matt Caswell <matt@openssl.org>
Mon, 2 Jul 2018 13:52:43 +0000 (14:52 +0100)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 5591e1e584280d9988c8359af930f1c2d5e7b034..10301f1643897e501fd55b393568898c7dffea52 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2324,13 +2324,12 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
          SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
          goto err;
      }
+
      cdh = EVP_PKEY_get0_DH(ckey);
      pub_key = BN_bin2bn(data, i, NULL);
-
-    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+    if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
          SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
-        if (pub_key != NULL)
-            BN_free(pub_key);
+        BN_free(pub_key);
          goto err;
      }
author	Matt Caswell <matt@openssl.org>
	Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 2 Jul 2018 13:52:43 +0000 (14:52 +0100)