From 7a433893adbe7eab3c41581175493d9e5326ba3f Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Mon, 14 Mar 2016 15:03:07 -0400
Subject: [PATCH] Fix memory leak on invalid CertificateRequest.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7)
---
 ssl/s3_clnt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index cfa5080e6b..9e5875f1f9 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
+        xn = NULL;
 
         p += l;
         nc += l + 2;
@@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
  err:
     s->state = SSL_ST_ERR;
  done:
+    X509_NAME_free(xn);
     if (ca_sk != NULL)
         sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
     return (ret);
-- 
2.34.1