Fix a NULL deref in an error path

The SRP_create_verifier_BN function goes to the |err| label if the |salt|
value passed to it is NULL. It is then deref'd.

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index e81ae01779673a7061188d4b76da25ef1988e9da..b271c9904cc5d880dc53b40ec606dac871fde0c3 100644 (file)
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -644,7 +644,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     *salt = salttmp;
 
  err:
-    if (*salt != salttmp)
+    if (salt != NULL && *salt != salttmp)
         BN_clear_free(salttmp);
     BN_clear_free(x);
     BN_CTX_free(bn_ctx);