projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6655ac4)
Fix a failure to NULL a pointer freed on error.
authorMatt Caswell <matt@openssl.org>
Thu, 19 Mar 2015 10:16:32 +0000 (10:16 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 19 Mar 2015 13:00:45 +0000 (13:00 +0000)
Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
crypto/asn1/x_x509.c patch | blob | history
crypto/ec/ec_asn1.c patch | blob | history

diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index 018a18bce179233b1e2978934fcaed5d3096452e..d6958f6c1abc23981a4c03216e97984a88d660a9 100644 (file)
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -179,8 +179,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
     const unsigned char *q;
     X509 *ret;
+    int freeret = 0;
+
     /* Save start position */
     q = *pp;
+
+    if(!a || *a == NULL) {
+        freeret = 1;
+    }
     ret = d2i_X509(a, pp, length);
     /* If certificate unreadable then forget it */
     if (!ret)
@@ -193,7 +199,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
         goto err;
     return ret;
  err:
-    X509_free(ret);
+    if(freeret) {
+        X509_free(ret);
+        if (a)
+            *a = NULL;
+    }
     return NULL;
 }
 
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index d3e8316ffb40d07aaca2c540abb88b566dfc4e2a..4ca2545e842a46bf5c693682febd57cc765c976b 100644 (file)
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1196,16 +1196,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
     if (!d2i_ECPKParameters(&ret->group, in, len)) {
         ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+        if (a == NULL || *a != ret)
+             EC_KEY_free(ret);
         return NULL;
     }
 
+    if (a)
+        *a = ret;
+
     return ret;
 }
 
Unnamed repository; edit this file 'description' to name the repository.