Fix a NULL ptr deref in error path in tls_process_cke_dhe()
authorMatt Caswell <matt@openssl.org>
Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 2 Jul 2018 13:42:13 +0000 (14:42 +0100)
Fixes #6574

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6593)

ssl/statem/statem_srvr.c

index 9c44be0..26cd850 100644 (file)
@@ -3129,14 +3129,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
                  SSL_R_BN_LIB);
         goto err;
     }
+
     cdh = EVP_PKEY_get0_DH(ckey);
     pub_key = BN_bin2bn(data, i, NULL);
-
-    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+    if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                  ERR_R_INTERNAL_ERROR);
-        if (pub_key != NULL)
-            BN_free(pub_key);
+        BN_free(pub_key);
         goto err;
     }