Avoid leak in error path of asn1_parse2
authorkinichiro <kinichiro.inoguchi@gmail.com>
Thu, 9 Jan 2020 14:22:25 +0000 (23:22 +0900)
committerTomas Mraz <tmraz@fedoraproject.org>
Tue, 14 Jan 2020 17:35:04 +0000 (18:35 +0100)
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10794)

(cherry picked from commit 6a165fab239ec5b00b3cd68169a63b509207177d)

crypto/asn1/asn1_par.c

index 4b60c615de7645d045afc76b8985de92e4d5fd5b..5abab9ab715bcaf9837c7b74d88ae2043a99dddb 100644 (file)
@@ -75,6 +75,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
     int nl, hl, j, r;
     ASN1_OBJECT *o = NULL;
     ASN1_OCTET_STRING *os = NULL;
+    ASN1_INTEGER *ai = NULL;
+    ASN1_ENUMERATED *ae = NULL;
     /* ASN1_BMPSTRING *bmp=NULL; */
     int dump_indent, dump_cont = 0;
 
@@ -250,22 +252,21 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                 ASN1_OCTET_STRING_free(os);
                 os = NULL;
             } else if (tag == V_ASN1_INTEGER) {
-                ASN1_INTEGER *bs;
                 int i;
 
                 opp = op;
-                bs = d2i_ASN1_INTEGER(NULL, &opp, len + hl);
-                if (bs != NULL) {
+                ai = d2i_ASN1_INTEGER(NULL, &opp, len + hl);
+                if (ai != NULL) {
                     if (BIO_write(bp, ":", 1) <= 0)
                         goto end;
-                    if (bs->type == V_ASN1_NEG_INTEGER)
+                    if (ai->type == V_ASN1_NEG_INTEGER)
                         if (BIO_write(bp, "-", 1) <= 0)
                             goto end;
-                    for (i = 0; i < bs->length; i++) {
-                        if (BIO_printf(bp, "%02X", bs->data[i]) <= 0)
+                    for (i = 0; i < ai->length; i++) {
+                        if (BIO_printf(bp, "%02X", ai->data[i]) <= 0)
                             goto end;
                     }
-                    if (bs->length == 0) {
+                    if (ai->length == 0) {
                         if (BIO_write(bp, "00", 2) <= 0)
                             goto end;
                     }
@@ -274,24 +275,24 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         goto end;
                     dump_cont = 1;
                 }
-                ASN1_INTEGER_free(bs);
+                ASN1_INTEGER_free(ai);
+                ai = NULL;
             } else if (tag == V_ASN1_ENUMERATED) {
-                ASN1_ENUMERATED *bs;
                 int i;
 
                 opp = op;
-                bs = d2i_ASN1_ENUMERATED(NULL, &opp, len + hl);
-                if (bs != NULL) {
+                ae = d2i_ASN1_ENUMERATED(NULL, &opp, len + hl);
+                if (ae != NULL) {
                     if (BIO_write(bp, ":", 1) <= 0)
                         goto end;
-                    if (bs->type == V_ASN1_NEG_ENUMERATED)
+                    if (ae->type == V_ASN1_NEG_ENUMERATED)
                         if (BIO_write(bp, "-", 1) <= 0)
                             goto end;
-                    for (i = 0; i < bs->length; i++) {
-                        if (BIO_printf(bp, "%02X", bs->data[i]) <= 0)
+                    for (i = 0; i < ae->length; i++) {
+                        if (BIO_printf(bp, "%02X", ae->data[i]) <= 0)
                             goto end;
                     }
-                    if (bs->length == 0) {
+                    if (ae->length == 0) {
                         if (BIO_write(bp, "00", 2) <= 0)
                             goto end;
                     }
@@ -300,7 +301,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         goto end;
                     dump_cont = 1;
                 }
-                ASN1_ENUMERATED_free(bs);
+                ASN1_ENUMERATED_free(ae);
+                ae = NULL;
             } else if (len > 0 && dump) {
                 if (!nl) {
                     if (BIO_write(bp, "\n", 1) <= 0)
@@ -341,6 +343,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
  end:
     ASN1_OBJECT_free(o);
     ASN1_OCTET_STRING_free(os);
+    ASN1_INTEGER_free(ai);
+    ASN1_ENUMERATED_free(ae);
     *pp = p;
     return ret;
 }