Avoid dangling ptrs in header and data params for PEM_read_bio_ex
authorMatt Caswell <matt@openssl.org>
Tue, 13 Dec 2022 14:54:55 +0000 (14:54 +0000)
committerTomas Mraz <tomas@openssl.org>
Fri, 3 Feb 2023 11:38:44 +0000 (12:38 +0100)
commit63bcf189be73a9cc1264059bed6f57974be74a83
tree40a6c798932600b6f3c71daecf3f5aed71daa309
parent8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d
Avoid dangling ptrs in header and data params for PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.

Thanks to Dawei Wang for reporting this issue.

Based on a proposed patch by Kurt Roeckx.

CVE-2022-4450

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
crypto/pem/pem_lib.c