Permalink
Browse files

Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
  • Loading branch information...
mattcaswell committed Mar 19, 2015
1 parent 367eab2 commit 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f
Showing with 16 additions and 3 deletions.
  1. +11 −1 crypto/asn1/x_x509.c
  2. +5 −2 crypto/ec/ec_asn1.c
View
@@ -168,8 +168,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
{
const unsigned char *q;
X509 *ret;
int freeret = 0;
/* Save start position */
q = *pp;
if(!a || *a == NULL) {
freeret = 1;
}
ret = d2i_X509(a, pp, length);
/* If certificate unreadable then forget it */
if (!ret)
@@ -182,7 +188,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
goto err;
return ret;
err:
X509_free(ret);
if(freeret) {
X509_free(ret);
if (a)
*a = NULL;
}
return NULL;
}
View
@@ -1226,16 +1226,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (a)
*a = ret;
} else
ret = *a;
if (!d2i_ECPKParameters(&ret->group, in, len)) {
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
if (a == NULL || *a != ret)
EC_KEY_free(ret);
return NULL;
}
if (a)
*a = ret;
return ret;
}

1 comment on commit 5e5d53d

@rwessman

This comment has been minimized.

rwessman commented on 5e5d53d Mar 20, 2015

Leaving "ret" (line 170) uninitialized leaves open the possibility that a future change that causes a jump to the err label before it is set at line 179. It would be safer to initialize it when it is declared.

Please sign in to comment.