Fix dh_pub_encode
authorMatt Caswell <matt@openssl.org>
Wed, 11 Mar 2015 20:08:16 +0000 (20:08 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 12 Mar 2015 09:33:46 +0000 (09:33 +0000)
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)

Conflicts:
crypto/dh/dh_ameth.c

crypto/dh/dh_ameth.c

index 680400f..1dec109 100644 (file)
@@ -126,7 +126,6 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
 static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
     DH *dh;
-    void *pval = NULL;
     int ptype;
     unsigned char *penc = NULL;
     int penclen;
@@ -136,12 +135,15 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
     dh = pkey->pkey.dh;
 
     str = ASN1_STRING_new();
+    if(!str) {
+        DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     str->length = i2d_DHparams(dh, &str->data);
     if (str->length <= 0) {
         DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    pval = str;
     ptype = V_ASN1_SEQUENCE;
 
     pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL);
@@ -158,14 +160,14 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
     }
 
     if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DH),
-                               ptype, pval, penc, penclen))
+                               ptype, str, penc, penclen))
         return 1;
 
  err:
     if (penc)
         OPENSSL_free(penc);
-    if (pval)
-        ASN1_STRING_free(pval);
+    if (str)
+        ASN1_STRING_free(str);
 
     return 0;
 }