From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 25 Mar 2009 10:42:34 +0000 (+0000)
Subject: PR: 1868
X-Git-Tag: OpenSSL_0_9_8k~4
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c60dca1f95457a9cb6deca7a4c3f81f99fe05b11;p=oweals%2Fopenssl.git

PR: 1868
Submitted by: Paolo Ganci <Paolo.Ganci@AdNovum.CH>
Approved by: steve@openssl.org

Don't set fields to NULL when freeing them up in ASN1 code. On some platforms
with sizeof(long) < sizeof(char *) this can cause a crash.
---

diff --git a/CHANGES b/CHANGES
index 4d5295c16b..2316496348 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
 
+  *) Don't set val to NULL when freeing up structures, it is freed up by
+     underlying code. If sizeof(void *) > sizeof(long) this can result in
+     zeroing past the valid field. (CVE-2009-0789)
+     [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
   *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
      checked correctly. This would allow some invalid signed attributes to
      appear to verify correctly. (CVE-2009-0591)
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 36626da421..48bc1c0d4d 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 
 	err:
 	ASN1_template_free(val, tt);
-	*val = NULL;
 	return 0;
 	}
 
@@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 
 	err:
 	ASN1_template_free(val, tt);
-	*val = NULL;
 	return 0;
 	}