projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d4af922)
x509: address NULL dereference and memory leaks
authorPauli <pauli@openssl.org>
Fri, 25 Jun 2021 02:54:43 +0000 (12:54 +1000)
committerPauli <pauli@openssl.org>
Sat, 26 Jun 2021 01:33:52 +0000 (11:33 +1000)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15910)

crypto/x509/x_pubkey.c patch | blob | history
crypto/x509/x_x509a.c patch | blob | history

diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index e669ae35745cd2cb23b3f31d460695a3be16d2bb..b20b756e9a526e471728f754382d976966fdc466 100644 (file)
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -84,14 +84,16 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub)
 
 static void x509_pubkey_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-    X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
+    X509_PUBKEY *pubkey;
 
-    X509_ALGOR_free(pubkey->algor);
-    ASN1_BIT_STRING_free(pubkey->public_key);
-    EVP_PKEY_free(pubkey->pkey);
-    OPENSSL_free(pubkey->propq);
-    OPENSSL_free(pubkey);
-    *pval = NULL;
+    if (pval != NULL && (pubkey = (X509_PUBKEY *)*pval) != NULL) {
+        X509_ALGOR_free(pubkey->algor);
+        ASN1_BIT_STRING_free(pubkey->public_key);
+        EVP_PKEY_free(pubkey->pkey);
+        OPENSSL_free(pubkey->propq);
+        OPENSSL_free(pubkey);
+        *pval = NULL;
+    }
 }
 
 static int x509_pubkey_ex_populate(ASN1_VALUE **pval, const ASN1_ITEM *it)
diff --git a/crypto/x509/x_x509a.c b/crypto/x509/x_x509a.c
index ef93db26d87f566169c5beb6e17eb278065530a5..c88a58aa9f0f2e62db4077dcf159a1fd90fddc74 100644 (file)
--- a/crypto/x509/x_x509a.c
+++ b/crypto/x509/x_x509a.c
@@ -125,6 +125,8 @@ int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj)
 {
     X509_CERT_AUX *aux;
     ASN1_OBJECT *objtmp;
+    int res = 0;
+
     if ((objtmp = OBJ_dup(obj)) == NULL)
         return 0;
     if ((aux = aux_get(x)) == NULL)
@@ -132,10 +134,13 @@ int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj)
     if (aux->reject == NULL
         && (aux->reject = sk_ASN1_OBJECT_new_null()) == NULL)
         goto err;
-    return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+    if (sk_ASN1_OBJECT_push(aux->reject, objtmp) > 0)
+        res = 1;
+
  err:
-    ASN1_OBJECT_free(objtmp);
-    return 0;
+    if (!res)
+        ASN1_OBJECT_free(objtmp);
+    return res;
 }
 
 void X509_trust_clear(X509 *x)
Unnamed repository; edit this file 'description' to name the repository.