Fix memory leak on invalid CertificateRequest.

Free up parsed X509_NAME structure if the CertificateRequest message contains excess data. The security impact is considered insignificant. This is a client side only leak and a large number of connections to malicious servers would be needed to have a significant impact. This was found by libFuzzer. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
author: David Benjamin <davidben@google.com> 2016-03-14 15:03:07 -0400
committer: Dr. Stephen Henson <steve@openssl.org> 2016-04-07 19:25:48 +0100
commit: ec66c8c98881186abbb4a7ddd6617970f1ee27a7 (patch)
tree: 55c81cb1f081cde910d3ee582cf250643fc32144
parent: af2db04c9979554ada88d969da6332a827a47599 (diff)
download: openssl-new-ec66c8c98881186abbb4a7ddd6617970f1ee27a7.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 04cc9f54a9..19dc8648b9 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2199,6 +2199,7 @@ int ssl3_get_certificate_request(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
+        xn = NULL;
 
         p += l;
         nc += l + 2;
@@ -2222,6 +2223,7 @@ int ssl3_get_certificate_request(SSL *s)
  err:
     s->state = SSL_ST_ERR;
  done:
+    X509_NAME_free(xn);
     if (ca_sk != NULL)
         sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
     return (ret);
author	David Benjamin <davidben@google.com>	2016-03-14 15:03:07 -0400
committer	Dr. Stephen Henson <steve@openssl.org>	2016-04-07 19:25:48 +0100
commit	ec66c8c98881186abbb4a7ddd6617970f1ee27a7 (patch)
tree	55c81cb1f081cde910d3ee582cf250643fc32144
parent	af2db04c9979554ada88d969da6332a827a47599 (diff)
download	openssl-new-ec66c8c98881186abbb4a7ddd6617970f1ee27a7.tar.gz