From: Dr. Stephen Henson Date: Thu, 18 Feb 2016 12:47:23 +0000 (+0000) Subject: Fix double free in DSA private key parsing. X-Git-Tag: OpenSSL_1_0_2g~26 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6c88c71b4e4825c7bc0489306d062d017634eb88;p=oweals%2Fopenssl.git Fix double free in DSA private key parsing. Fix double free bug when parsing malformed DSA private keys. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. CVE-2016-0705 Reviewed-by: Emilia Käsper --- diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index e385dd3a6f..cc83d6e6ad 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -191,6 +191,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) STACK_OF(ASN1_TYPE) *ndsa = NULL; DSA *dsa = NULL; + int ret = 0; + if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) return 0; X509_ALGOR_get0(NULL, &ptype, &pval, palg); @@ -262,23 +264,21 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) } EVP_PKEY_assign_DSA(pkey, dsa); - BN_CTX_free(ctx); - if (ndsa) - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - else - ASN1_STRING_clear_free(privkey); - return 1; + ret = 1; + goto done; decerr: DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_DECODE_ERROR); dsaerr: + DSA_free(dsa); + done: BN_CTX_free(ctx); - if (privkey) + if (ndsa) + sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); + else ASN1_STRING_clear_free(privkey); - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - DSA_free(dsa); - return 0; + return ret; } static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)