diff options
author | zekeevans-mf <77804765+zekeevans-mf@users.noreply.github.com> | 2021-01-21 12:24:51 -0700 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-02-18 12:11:53 +0100 |
commit | bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea (patch) | |
tree | 3dad4b6111b94d81acc44a8555b211db24c8ae07 /providers/implementations | |
parent | 5d8ffebbcdf4992d3c428201b1f3330020bbe92e (diff) | |
download | openssl-new-bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea.tar.gz |
Add deep copy of propq field in mac_dupctx to avoid double free
mac_dupctx() should make a copy of the propq field. Currently it
does a shallow copy which can result in a double free and crash.
The double free occurs when using a provider property string.
For example, passing in "fips=no" to SSL_CTX_new_ex() causes the
propq field to get set to that value. When mac_dupctx() and
mac_freectx() is called (ie: in SSL_write()) it ends up freeing
the reference of the original object instead of a copy.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13926)
Diffstat (limited to 'providers/implementations')
-rw-r--r-- | providers/implementations/signature/mac_legacy.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index 7d23e36f2b..2386583069 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -172,9 +172,13 @@ static void *mac_dupctx(void *vpmacctx) return NULL; *dstctx = *srcctx; + dstctx->propq = NULL; dstctx->key = NULL; dstctx->macctx = NULL; + if (srcctx->propq != NULL && (dstctx->propq = OPENSSL_strdup(srcctx->propq)) == NULL) + goto err; + if (srcctx->key != NULL && !ossl_mac_key_up_ref(srcctx->key)) goto err; dstctx->key = srcctx->key; |