diff options
author | David Benjamin <davidben@google.com> | 2016-03-14 15:03:07 -0400 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-04-07 19:25:48 +0100 |
commit | ec66c8c98881186abbb4a7ddd6617970f1ee27a7 (patch) | |
tree | 55c81cb1f081cde910d3ee582cf250643fc32144 | |
parent | af2db04c9979554ada88d969da6332a827a47599 (diff) | |
download | openssl-new-ec66c8c98881186abbb4a7ddd6617970f1ee27a7.tar.gz |
Fix memory leak on invalid CertificateRequest.
Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.
The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.
This was found by libFuzzer.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
-rw-r--r-- | ssl/s3_clnt.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 04cc9f54a9..19dc8648b9 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2199,6 +2199,7 @@ int ssl3_get_certificate_request(SSL *s) SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); goto err; } + xn = NULL; p += l; nc += l + 2; @@ -2222,6 +2223,7 @@ int ssl3_get_certificate_request(SSL *s) err: s->state = SSL_ST_ERR; done: + X509_NAME_free(xn); if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret); |