From b06450bcf763735a89b65ca3ec176600fe7fceed Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 19 Apr 2021 08:51:38 +1000 Subject: [PATCH] srp: fix double free, In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653. In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738. And *verify is freed via BN_clear_free() at line 743, and return 0. Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687. Bug reported by @Yunlongs Fixes #14913 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) --- crypto/srp/srp_vfy.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 0693a23be0..2c2ec11cd4 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -712,7 +712,7 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, BIGNUM *x = NULL; BN_CTX *bn_ctx = BN_CTX_new_ex(libctx); unsigned char tmp2[MAX_LEN]; - BIGNUM *salttmp = NULL; + BIGNUM *salttmp = NULL, *verif; if ((user == NULL) || (pass == NULL) || @@ -735,17 +735,18 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, if (x == NULL) goto err; - *verifier = BN_new(); - if (*verifier == NULL) + verif = BN_new(); + if (verif == NULL) goto err; - if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) { - BN_clear_free(*verifier); + if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { + BN_clear_free(verif); goto err; } result = 1; *salt = salttmp; + *verifier = verif; err: if (salt != NULL && *salt != salttmp) -- 2.34.1