Fix a NULL ptr deref in error path in tls_process_cke_dhe()

author Matt Caswell <matt@openssl.org>

Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)

committer Matt Caswell <matt@openssl.org>

Mon, 2 Jul 2018 13:42:13 +0000 (14:42 +0100)
author Matt Caswell <matt@openssl.org>
Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)
committer Matt Caswell <matt@openssl.org>
Mon, 2 Jul 2018 13:42:13 +0000 (14:42 +0100)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 9c44be0301c1f6c42627d6d5be28cbf101c8207f..26cd850d12e51e460b85a5ef2a5650554acd1710 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3129,14 +3129,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
                   SSL_R_BN_LIB);
          goto err;
      }
+
      cdh = EVP_PKEY_get0_DH(ckey);
      pub_key = BN_bin2bn(data, i, NULL);
-
-    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+    if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                   ERR_R_INTERNAL_ERROR);
-        if (pub_key != NULL)
-            BN_free(pub_key);
+        BN_free(pub_key);
          goto err;
      }
author	Matt Caswell <matt@openssl.org>
	Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 2 Jul 2018 13:42:13 +0000 (14:42 +0100)