Don't free the BIGNUM passed to BN_mpi2bn

Commit 91fb42dd fixed a leak but introduced a problem where a parameter
is erroneously freed instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/crypto/bn/bn_mpi.c b/crypto/bn/bn_mpi.c
index 86d96750b9c7ce66698c4d9f9bb71ccd6c3cb18d..cb8f0b8dcaf17e65db907bfc61b85dea1c9b586b 100644 (file)
--- a/crypto/bn/bn_mpi.c
+++ b/crypto/bn/bn_mpi.c
@@ -87,10 +87,11 @@ int BN_bn2mpi(const BIGNUM *a, unsigned char *d)
     return (num + 4 + ext);
 }
 
-BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a)
+BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *ain)
 {
     long len;
     int neg = 0;
+    BIGNUM *a = NULL;
 
     if (n < 4) {
         BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH);
@@ -103,8 +104,11 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a)
         return NULL;
     }
 
-    if (a == NULL)
+    if (ain == NULL)
         a = BN_new();
+    else
+        a = ain;
+
     if (a == NULL)
         return NULL;
 
@@ -117,7 +121,8 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a)
     if ((*d) & 0x80)
         neg = 1;
     if (BN_bin2bn(d, (int)len, a) == NULL) {
-        BN_free(a);
+        if (ain == NULL)
+            BN_free(a);
         return NULL;
     }
     a->neg = neg;