Fix a failure to NULL a pointer freed on error.

mattcaswell · mattcaswell · commit 1b4a8df38fc9 · 2015-02-25T20:40:38.000Z
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org> CVE-2015-0209 Reviewed-by: Emilia Käsper <emilia@openssl.org>
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
@@ -1014,8 +1014,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
@@ -1067,10 +1065,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
         }
     }
 
+    if (a)
+        *a = ret;
     ok = 1;
  err:
     if (!ok) {
-        if (ret)
+        if (ret && (a == NULL || *a != ret))
             EC_KEY_free(ret);
         ret = NULL;
     }

Original file line number	Diff line number	Diff line change
`@@ -1014,8 +1014,6 @@ EC_KEY d2i_ECPrivateKey(EC_KEY a, const unsigned char *in, long len)`
`1014`	`1014`	`ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);`
`1015`	`1015`	`goto err;`
`1016`	`1016`	`}`
`1017`		`- if (a)`
`1018`		`- *a = ret;`
`1019`	`1017`	`} else`
`1020`	`1018`	`ret = *a;`
`1021`	`1019`
`@@ -1067,10 +1065,12 @@ EC_KEY d2i_ECPrivateKey(EC_KEY a, const unsigned char *in, long len)`
`1067`	`1065`	`}`
`1068`	`1066`	`}`
`1069`	`1067`
	`1068`	`+ if (a)`
	`1069`	`+ *a = ret;`
`1070`	`1070`	`ok = 1;`
`1071`	`1071`	`err:`
`1072`	`1072`	`if (!ok) {`
`1073`		`- if (ret)`
	`1073`	`+ if (ret && (a == NULL \|\| *a != ret))`
`1074`	`1074`	`EC_KEY_free(ret);`
`1075`	`1075`	`ret = NULL;`
`1076`	`1076`	`}`