srp: fix double free,

In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.

Bug reported by @Yunlongs

Fixes #14913

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 0693a23be0617b92669a56c50934d73514c7dc8c..2c2ec11cd4d88fe9a0d45b4d721aa20fe19a2aa7 100644 (file)
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -712,7 +712,7 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
     BIGNUM *x = NULL;
     BN_CTX *bn_ctx = BN_CTX_new_ex(libctx);
     unsigned char tmp2[MAX_LEN];
     BIGNUM *x = NULL;
     BN_CTX *bn_ctx = BN_CTX_new_ex(libctx);
     unsigned char tmp2[MAX_LEN];

-    BIGNUM *salttmp = NULL;
+    BIGNUM *salttmp = NULL, *verif;

 
     if ((user == NULL) ||
         (pass == NULL) ||
 
     if ((user == NULL) ||
         (pass == NULL) ||


@@ -735,17 +735,18 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
     if (x == NULL)
         goto err;
 
     if (x == NULL)
         goto err;
 

-    *verifier = BN_new();
-    if (*verifier == NULL)
+    verif = BN_new();
+    if (verif == NULL)

         goto err;
 
         goto err;
 

-    if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) {
-        BN_clear_free(*verifier);
+    if (!BN_mod_exp(verif, g, x, N, bn_ctx)) {
+        BN_clear_free(verif);

         goto err;
     }
 
     result = 1;
     *salt = salttmp;
         goto err;
     }
 
     result = 1;
     *salt = salttmp;

+    *verifier = verif;

 
  err:
     if (salt != NULL && *salt != salttmp)
 
  err:
     if (salt != NULL && *salt != salttmp)