From: David Benjamin Date: Mon, 14 Mar 2016 19:03:07 +0000 (-0400) Subject: Fix memory leak on invalid CertificateRequest. X-Git-Tag: OpenSSL_1_0_1t~22 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=7a433893adbe7eab3c41581175493d9e5326ba3f;p=oweals%2Fopenssl.git Fix memory leak on invalid CertificateRequest. Free up parsed X509_NAME structure if the CertificateRequest message contains excess data. The security impact is considered insignificant. This is a client side only leak and a large number of connections to malicious servers would be needed to have a significant impact. This was found by libFuzzer. Reviewed-by: Emilia Käsper Reviewed-by: Stephen Henson (cherry picked from commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7) --- diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index cfa5080e6b..9e5875f1f9 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s) SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); goto err; } + xn = NULL; p += l; nc += l + 2; @@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s) err: s->state = SSL_ST_ERR; done: + X509_NAME_free(xn); if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret);