From: Matt Caswell <matt@openssl.org>
Date: Tue, 26 Jun 2018 14:40:54 +0000 (+0100)
Subject: Fix a NULL ptr deref in error path in tls_process_cke_dhe()
X-Git-Tag: OpenSSL_1_1_0i~61
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1e8cb18d499604c1766bfcec23a358888eaf6551;p=oweals%2Fopenssl.git

Fix a NULL ptr deref in error path in tls_process_cke_dhe()

Fixes #6574

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6594)
---

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 5591e1e584..10301f1643 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2324,13 +2324,12 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
         SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
         goto err;
     }
+
     cdh = EVP_PKEY_get0_DH(ckey);
     pub_key = BN_bin2bn(data, i, NULL);
-
-    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+    if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
         SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
-        if (pub_key != NULL)
-            BN_free(pub_key);
+        BN_free(pub_key);
         goto err;
     }