From 91fb42ddbef7a88640d1a0f853c941c20df07de7 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 27 Apr 2016 12:55:44 +0100 Subject: [PATCH] Free a BIGNUM on error in BN_mpi2bn In the BN_mpi2bn() function, a failure of a call to BN_bin2bn() could result in the leak of a previously allocated BIGNUM value. Reviewed-by: Richard Levitte --- crypto/bn/bn_mpi.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/crypto/bn/bn_mpi.c b/crypto/bn/bn_mpi.c index 80d105dd55..86d96750b9 100644 --- a/crypto/bn/bn_mpi.c +++ b/crypto/bn/bn_mpi.c @@ -94,34 +94,36 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a) if (n < 4) { BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH); - return (NULL); + return NULL; } len = ((long)d[0] << 24) | ((long)d[1] << 16) | ((int)d[2] << 8) | (int) d[3]; if ((len + 4) != n) { BNerr(BN_F_BN_MPI2BN, BN_R_ENCODING_ERROR); - return (NULL); + return NULL; } if (a == NULL) a = BN_new(); if (a == NULL) - return (NULL); + return NULL; if (len == 0) { a->neg = 0; a->top = 0; - return (a); + return a; } d += 4; if ((*d) & 0x80) neg = 1; - if (BN_bin2bn(d, (int)len, a) == NULL) - return (NULL); + if (BN_bin2bn(d, (int)len, a) == NULL) { + BN_free(a); + return NULL; + } a->neg = neg; if (neg) { BN_clear_bit(a, BN_num_bits(a) - 1); } bn_check_top(a); - return (a); + return a; } -- 2.25.1