Better handling of verify param id peername field

Initialize pointers in param id by the book (explicit NULL assignment,
rather than just memset 0).

In x509_verify_param_zero() set peername to NULL after freeing it.

In x509_vfy.c's internal check_hosts(), avoid potential leak of
possibly already non-NULL peername.  This is only set when a check
succeeds, so don't need to do this repeatedly in the loop.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a0724ef1c9b9e2090bdd96b784f492b6a3952957)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7bac197666c489eb8cb1feb1eb9d059d5614fcc9..ab94948f0135f2291f5be819b66224eafcd761d7 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -753,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
     int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 
     int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 

+    if (id->peername != NULL) {
+        OPENSSL_free(id->peername);
+        id->peername = NULL;
+    }

     for (i = 0; i < n; ++i) {
         name = sk_OPENSSL_STRING_value(id->hosts, i);
         if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
     for (i = 0; i < n; ++i) {
         name = sk_OPENSSL_STRING_value(id->hosts, i);
         if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 1ea0c69f5743d132b26b1dc2aa9faf80056dd5c2..592a8a5f6a5c94a6b7589803e994a916f097fcaa 100644 (file)
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
     }
     if (paramid->peername)
         OPENSSL_free(paramid->peername);
     }
     if (paramid->peername)
         OPENSSL_free(paramid->peername);

+    paramid->peername = NULL;

     if (paramid->email) {
         OPENSSL_free(paramid->email);
         paramid->email = NULL;
     if (paramid->email) {
         OPENSSL_free(paramid->email);
         paramid->email = NULL;


@@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
         paramid->ip = NULL;
         paramid->iplen = 0;
     }
         paramid->ip = NULL;
         paramid->iplen = 0;
     }

-

 }
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 }
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)


@@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
     param = OPENSSL_malloc(sizeof *param);
     if (!param)
         return NULL;
     param = OPENSSL_malloc(sizeof *param);
     if (!param)
         return NULL;

-    paramid = OPENSSL_malloc(sizeof *paramid);
+    memset(param, 0, sizeof(*param));
+
+    paramid = OPENSSL_malloc(sizeof(*paramid));

     if (!paramid) {
         OPENSSL_free(param);
         return NULL;
     }
     if (!paramid) {
         OPENSSL_free(param);
         return NULL;
     }

-    memset(param, 0, sizeof *param);
-    memset(paramid, 0, sizeof *paramid);
+    memset(paramid, 0, sizeof(*paramid));
+    /* Exotic platforms may have non-zero bit representation of NULL */
+    paramid->hosts = NULL;
+    paramid->peername = NULL;
+    paramid->email = NULL;
+    paramid->ip = NULL;
+

     param->id = paramid;
     x509_verify_param_zero(param);
     return param;
     param->id = paramid;
     x509_verify_param_zero(param);
     return param;