Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577)

[openssl.git] / crypto / x509v3 / v3_pci.c

diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 601211f41691f75f34eb40c79d8c0c4fd083a136..0dcfa004fe23332649c4e949b3817951f9325924 100644 (file)
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -82,7 +82,7 @@ static int process_pci_value(CONF_VALUE *val,
                {
                if (*language)
                        {
-                       X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
+                       X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
                        X509V3_conf_err(val);
                        return 0;
                        }
@@ -97,7 +97,7 @@ static int process_pci_value(CONF_VALUE *val,
                {
                if (*pathlen)
                        {
-                       X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
+                       X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
                        X509V3_conf_err(val);
                        return 0;
                        }
@@ -128,7 +128,12 @@ static int process_pci_value(CONF_VALUE *val,
                        unsigned char *tmp_data2 =
                                string_to_hex(val->value + 4, &val_len);
 
-                       if (!tmp_data2) goto err;
+                       if (!tmp_data2) 
+                               {
+                               X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
+                               X509V3_conf_err(val);
+                               goto err;
+                               }
 
                        tmp_data = OPENSSL_realloc((*policy)->data,
                                (*policy)->length + val_len + 1);
@@ -140,6 +145,17 @@ static int process_pci_value(CONF_VALUE *val,
                                (*policy)->length += val_len;
                                (*policy)->data[(*policy)->length] = '\0';
                                }
+                       else
+                               {
+                               OPENSSL_free(tmp_data2);
+                               /* realloc failure implies the original data space is b0rked too! */
+                               (*policy)->data = NULL;
+                               (*policy)->length = 0;
+                               X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+                               X509V3_conf_err(val);
+                               goto err;
+                               }
+                       OPENSSL_free(tmp_data2);
                        }
                else if (strncmp(val->value, "file:", 5) == 0)
                        {
@@ -169,6 +185,7 @@ static int process_pci_value(CONF_VALUE *val,
                                (*policy)->length += n;
                                (*policy)->data[(*policy)->length] = '\0';
                                }
+                       BIO_free_all(b);
 
                        if (n < 0)
                                {
@@ -190,6 +207,15 @@ static int process_pci_value(CONF_VALUE *val,
                                (*policy)->length += val_len;
                                (*policy)->data[(*policy)->length] = '\0';
                                }
+                       else
+                               {
+                               /* realloc failure implies the original data space is b0rked too! */
+                               (*policy)->data = NULL;
+                               (*policy)->length = 0;
+                               X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+                               X509V3_conf_err(val);
+                               goto err;
+                               }
                        }
                else
                        {