From 59ae04d74a57cf791af510a717b5822950a0f875 Mon Sep 17 00:00:00 2001
From: raja-ashok <rashok.svks@gmail.com>
Date: Tue, 3 Dec 2019 19:31:49 +1000
Subject: [PATCH] Set argument only after successful dup on CMP APIs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10511)
---
 crypto/cmp/cmp_ctx.c  | 23 ++++++++++++++++++-----
 crypto/cmp/cmp_util.c |  8 +++++---
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 4a70b33ee7..89ecab1413 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -68,14 +68,21 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
  */
 int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
 {
+    STACK_OF(X509) *untrusted_certs;
     if (ctx == NULL) {
         CMPerr(0, CMP_R_NULL_ARGUMENT);
         return 0;
     }
-    sk_X509_pop_free(ctx->untrusted_certs, X509_free);
-    if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
+    if ((untrusted_certs = sk_X509_new_null()) == NULL)
         return 0;
-    return ossl_cmp_sk_X509_add1_certs(ctx->untrusted_certs, certs, 0, 1, 0);
+    if (ossl_cmp_sk_X509_add1_certs(untrusted_certs, certs, 0, 1, 0) != 1)
+        goto err;
+    sk_X509_pop_free(ctx->untrusted_certs, X509_free);
+    ctx->untrusted_certs = untrusted_certs;
+    return 1;
+err:
+    sk_X509_pop_free(untrusted_certs, X509_free);
+    return 0;
 }
 
 /*
@@ -373,13 +380,19 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
 int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
                                   const int len)
 {
+    ASN1_OCTET_STRING *secretValue = NULL;
     if (ctx == NULL) {
         CMPerr(0, CMP_R_NULL_ARGUMENT);
         return 0;
     }
-    if (ctx->secretValue != NULL)
+    if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
+        return 0;
+    if (ctx->secretValue != NULL) {
         OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
-    return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->secretValue, sec, len);
+        ASN1_OCTET_STRING_free(ctx->secretValue);
+    }
+    ctx->secretValue = secretValue;
+    return 1;
 }
 
 /*
diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
index 9490496cbe..0390c23e66 100644
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@@ -408,21 +408,23 @@ STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert)
 int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
                                     const ASN1_OCTET_STRING *src)
 {
+    ASN1_OCTET_STRING *new;
     if (tgt == NULL) {
         CMPerr(0, CMP_R_NULL_ARGUMENT);
         return 0;
     }
     if (*tgt == src) /* self-assignment */
         return 1;
-    ASN1_OCTET_STRING_free(*tgt);
 
     if (src != NULL) {
-        if ((*tgt = ASN1_OCTET_STRING_dup(src)) == NULL)
+        if ((new = ASN1_OCTET_STRING_dup(src)) == NULL)
             return 0;
     } else {
-        *tgt = NULL;
+        new = NULL;
     }
 
+    ASN1_OCTET_STRING_free(*tgt);
+    *tgt = new;
     return 1;
 }
 
-- 
2.25.1