PR: 2009

Submitted by: "Alexei Khlebnikov" <alexei.khlebnikov@opera.com>
Approved by: steve@openssl.org

Avoid memory leak and fix error reporting in d2i_SSL_SESSION(). NB: although
the ticket mentions buffer overruns this isn't a security issue because
the SSL_SESSION structure is generated internally and it should never be
possible to supply its contents from an untrusted application (this would
among other things destroy session cache security).

diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 1804f3658b3975590aa34ef9d711901b3e6b261c..93311eadf6d5f7d5c051b593f051c99b8e653c10 100644 (file)
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -413,8 +413,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
                }
        else
                {
                }
        else
                {

-               SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
-               return(NULL);
+               c.error=SSL_R_UNKNOWN_SSL_VERSION;
+               goto err;

                }
        
        ret->cipher=NULL;
                }
        
        ret->cipher=NULL;


@@ -505,8 +505,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
            {
            if (os.length > SSL_MAX_SID_CTX_LENGTH)
                {
            {
            if (os.length > SSL_MAX_SID_CTX_LENGTH)
                {

-               ret->sid_ctx_length=os.length;
-               SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
+               c.error=SSL_R_BAD_LENGTH;
+               goto err;

                }
            else
                {
                }
            else
                {