PR: 1868

Submitted by: Paolo Ganci <Paolo.Ganci@AdNovum.CH>
Approved by: steve@openssl.org

Don't set fields to NULL when freeing them up in ASN1 code. On some platforms
with sizeof(long) < sizeof(char *) this can cause a crash.

diff --git a/CHANGES b/CHANGES
index 4d5295c16be5f3a7d5ac57cf754b70c22e1bee79..2316496348da84d3f6502242682b5be15ec94bdc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
 
+  *) Don't set val to NULL when freeing up structures, it is freed up by
+     underlying code. If sizeof(void *) > sizeof(long) this can result in
+     zeroing past the valid field. (CVE-2009-0789)
+     [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
   *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
      checked correctly. This would allow some invalid signed attributes to
      appear to verify correctly. (CVE-2009-0591)

diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 36626da421c6cc037adf821d10ea08fc00ef802c..48bc1c0d4d090be4c43fa6910b907157a05b5fad 100644 (file)
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 
        err:
        ASN1_template_free(val, tt);
-       *val = NULL;
        return 0;
        }
 
@@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 
        err:
        ASN1_template_free(val, tt);
-       *val = NULL;
        return 0;
        }