From: Matt Caswell <matt@openssl.org>
Date: Thu, 12 Nov 2015 15:54:30 +0000 (+0000)
Subject: Fix a NULL deref in an error path
X-Git-Tag: OpenSSL_1_1_0-pre1~161
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=3bbd1d63e2d77e4e36e869640086f74714b3a4ee;p=oweals%2Fopenssl.git

Fix a NULL deref in an error path

The SRP_create_verifier_BN function goes to the |err| label if the |salt|
value passed to it is NULL. It is then deref'd.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index e81ae01779..b271c9904c 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -644,7 +644,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     *salt = salttmp;
 
  err:
-    if (*salt != salttmp)
+    if (salt != NULL && *salt != salttmp)
         BN_clear_free(salttmp);
     BN_clear_free(x);
     BN_CTX_free(bn_ctx);