diff options
author | Matt Caswell <matt@openssl.org> | 2015-03-19 10:16:32 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-03-19 12:59:31 +0000 |
commit | a4517be9e348634ac64f9cf093131e13e8c03e38 (patch) | |
tree | 46eb12013bc61ff986d5af3ec6174ff05071148b | |
parent | 6e24e1cdd20d568ca11a95943f34c6031c60a1df (diff) | |
download | openssl-new-a4517be9e348634ac64f9cf093131e13e8c03e38.tar.gz |
Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | crypto/asn1/x_x509.c | 12 | ||||
-rw-r--r-- | crypto/ec/ec_asn1.c | 7 |
2 files changed, 16 insertions, 3 deletions
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 2644d5f279..d51b76e79e 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -172,8 +172,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) { const unsigned char *q; X509 *ret; + int freeret = 0; + /* Save start position */ q = *pp; + + if(!a || *a == NULL) { + freeret = 1; + } ret = d2i_X509(a, pp, length); /* If certificate unreadable then forget it */ if (!ret) @@ -186,7 +192,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - X509_free(ret); + if(freeret) { + X509_free(ret); + if (a) + *a = NULL; + } return NULL; } diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 6ff94a3563..b4b0e9f3b8 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1226,16 +1226,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE); return NULL; } - if (a) - *a = ret; } else ret = *a; if (!d2i_ECPKParameters(&ret->group, in, len)) { ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB); + if (a == NULL || *a != ret) + EC_KEY_free(ret); return NULL; } + if (a) + *a = ret; + return ret; } |