From: Matt Caswell Date: Wed, 11 Mar 2015 20:08:16 +0000 (+0000) Subject: Fix dh_pub_encode X-Git-Tag: OpenSSL_1_0_1m~24 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=3942e7d9ebc262fa5c5c42aba0167e06d981f004 Fix dh_pub_encode The return value from ASN1_STRING_new() was not being checked which could lead to a NULL deref in the event of a malloc failure. Also fixed a mem leak in the error path. Reviewed-by: Rich Salz (cherry picked from commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2) Conflicts: crypto/dh/dh_ameth.c --- diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 680400f787..1dec109835 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -126,7 +126,6 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { DH *dh; - void *pval = NULL; int ptype; unsigned char *penc = NULL; int penclen; @@ -136,12 +135,15 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) dh = pkey->pkey.dh; str = ASN1_STRING_new(); + if(!str) { + DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); + goto err; + } str->length = i2d_DHparams(dh, &str->data); if (str->length <= 0) { DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); goto err; } - pval = str; ptype = V_ASN1_SEQUENCE; pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL); @@ -158,14 +160,14 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) } if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DH), - ptype, pval, penc, penclen)) + ptype, str, penc, penclen)) return 1; err: if (penc) OPENSSL_free(penc); - if (pval) - ASN1_STRING_free(pval); + if (str) + ASN1_STRING_free(str); return 0; }