From: Pauli <pauli@openssl.org>
Date: Sun, 18 Apr 2021 22:51:38 +0000 (+1000)
Subject: srp: fix double free,
X-Git-Tag: openssl-3.0.0-alpha15~26
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=b06450bcf763735a89b65ca3ec176600fe7fceed

srp: fix double free,

In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.

Bug reported by @Yunlongs

Fixes #14913

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
---

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 0693a23be0..2c2ec11cd4 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -712,7 +712,7 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
     BIGNUM *x = NULL;
     BN_CTX *bn_ctx = BN_CTX_new_ex(libctx);
     unsigned char tmp2[MAX_LEN];
-    BIGNUM *salttmp = NULL;
+    BIGNUM *salttmp = NULL, *verif;
 
     if ((user == NULL) ||
         (pass == NULL) ||
@@ -735,17 +735,18 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
     if (x == NULL)
         goto err;
 
-    *verifier = BN_new();
-    if (*verifier == NULL)
+    verif = BN_new();
+    if (verif == NULL)
         goto err;
 
-    if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) {
-        BN_clear_free(*verifier);
+    if (!BN_mod_exp(verif, g, x, N, bn_ctx)) {
+        BN_clear_free(verif);
         goto err;
     }
 
     result = 1;
     *salt = salttmp;
+    *verifier = verif;
 
  err:
     if (salt != NULL && *salt != salttmp)