Avoid dangling ptrs in header and data params for PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we allocated for the header and data buffers. However we were not clearing the ptrs stored in *header and *data. Since, on success, the caller is responsible for freeing these ptrs this can potentially lead to a double free if the caller frees them even on failure. Thanks to Dawei Wang for reporting this issue. Based on a proposed patch by Kurt Roeckx. CVE-2022-4450 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
openssl · Feb 7, 2023 · ee6243f · ee6243f
1 parent b1892d2
commit ee6243f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -995,7 +995,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 
 out_free:
     PEM_FREE(*header, flags, 0);
+    *header = NULL;
     PEM_FREE(*data, flags, 0);
+    *data = NULL;
 end:
     EVP_ENCODE_CTX_free(ctx);
     PEM_FREE(name, flags, 0);