Fix several crash causing defects from OpenSSL.

These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt joint work with beck, doug, guenther, jsing, miod
author: tedu <> 2015-03-19 14:00:22 +0000
committer: tedu <> 2015-03-19 14:00:22 +0000
commit: 985dda77b7930c0837c4acb74b7bd23252f849c1 (patch)
tree: e1849327a9d18d917e7698c775d31f7ae7c4e34f /src/lib/libcrypto/asn1
parent: 6b3d8d3164d1b68d078a0cf83583f3dd8bbcb340 (diff)
download: openbsd-985dda77b7930c0837c4acb74b7bd23252f849c1.tar.gz
openbsd-985dda77b7930c0837c4acb74b7bd23252f849c1.tar.bz2
openbsd-985dda77b7930c0837c4acb74b7bd23252f849c1.zip
8 files changed, 52 insertions, 25 deletions
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index fe6ce5ee9f..af5d64d056 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_int.c,v 1.25 2015/02/10 08:33:10 jsing Exp $ */
+/* $OpenBSD: a_int.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -268,7 +268,7 @@ c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long len)
 err:
        ASN1err(ASN1_F_C2I_ASN1_INTEGER, i);
-        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        if (a == NULL || *a != ret)
                M_ASN1_INTEGER_free(ret);
        return (NULL);
 }
@@ -335,7 +335,7 @@ d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length)
 err:
        ASN1err(ASN1_F_D2I_ASN1_UINTEGER, i);
-        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        if (a == NULL || *a != ret)
                M_ASN1_INTEGER_free(ret);
        return (NULL);
 }
diff --git a/src/lib/libcrypto/asn1/a_set.c b/src/lib/libcrypto/asn1/a_set.c
index ba4f28be34..63d55c3714 100644
--- a/src/lib/libcrypto/asn1/a_set.c
+++ b/src/lib/libcrypto/asn1/a_set.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_set.c,v 1.16 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: a_set.c,v 1.17 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -225,7 +225,7 @@ d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a, const unsigned char **pp, long length,
        return ret;
 err:
-        if (ret != NULL && (a == NULL || *a != ret)) {
+        if (a == NULL || *a != ret) {
                if (free_func != NULL)
                        sk_OPENSSL_BLOCK_pop_free(ret, free_func);
                else
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index 7c732cfec5..38b3c65beb 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_type.c,v 1.15 2015/02/10 08:33:10 jsing Exp $ */
+/* $OpenBSD: a_type.c,v 1.16 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -119,7 +119,9 @@ ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
        case V_ASN1_OBJECT:
                result = OBJ_cmp(a->value.object, b->value.object);
                break;
+        case V_ASN1_BOOLEAN:
+                result = a->value.boolean - b->value.boolean;
+                break;
        case V_ASN1_NULL:
                result = 0;     /* They do not have content. */
                break;
diff --git a/src/lib/libcrypto/asn1/d2i_pr.c b/src/lib/libcrypto/asn1/d2i_pr.c
index 14f08e1380..68d02177c4 100644
--- a/src/lib/libcrypto/asn1/d2i_pr.c
+++ b/src/lib/libcrypto/asn1/d2i_pr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d2i_pr.c,v 1.13 2015/02/11 03:19:37 doug Exp $ */
+/* $OpenBSD: d2i_pr.c,v 1.14 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -118,7 +118,7 @@ d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length)
        return (ret);
 err:
-        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        if (a == NULL || *a != ret)
                EVP_PKEY_free(ret);
        return (NULL);
 }
diff --git a/src/lib/libcrypto/asn1/d2i_pu.c b/src/lib/libcrypto/asn1/d2i_pu.c
index df6fea4af5..e917356254 100644
--- a/src/lib/libcrypto/asn1/d2i_pu.c
+++ b/src/lib/libcrypto/asn1/d2i_pu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d2i_pu.c,v 1.12 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: d2i_pu.c,v 1.13 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -130,7 +130,7 @@ d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length)
        return (ret);
 err:
-        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        if (a == NULL || *a != ret)
                EVP_PKEY_free(ret);
        return (NULL);
 }
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index bb369fde6e..d3a7431356 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: n_pkey.c,v 1.25 2015/02/11 04:00:39 jsing Exp $ */
+/* $OpenBSD: n_pkey.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -340,11 +340,11 @@ d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
                return NULL;
        }
-        if ((enckey->os->length != 11) || (strncmp("private-key",
+        /* XXX 11 == strlen("private-key") */
-        (char *)enckey->os->data, 11) != 0)) {
+        if (enckey->os->length != 11 ||
+            memcmp("private-key", enckey->os->data, 11) != 0) {
                ASN1err(ASN1_F_D2I_RSA_NET, ASN1_R_PRIVATE_KEY_HEADER_MISSING);
-                NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+                goto err;
-                return NULL;
        }
        if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4) {
                ASN1err(ASN1_F_D2I_RSA_NET,
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 791a10a9c0..7d61a6a233 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.25 2015/02/14 15:23:57 miod Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -238,8 +238,16 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
                if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
                        goto auxerr;
-                /* Allocate structure */
+                if (*pval) {
-                if (!*pval && !ASN1_item_ex_new(pval, it)) {
+                        /* Free up and zero CHOICE value if initialised */
+                        i = asn1_get_choice_selector(pval, it);
+                        if ((i >= 0) && (i < it->tcount)) {
+                                tt = it->templates + i;
+                                pchptr = asn1_get_field_ptr(pval, tt);
+                                ASN1_template_free(pchptr, tt);
+                                asn1_set_choice_selector(pval, -1, it);
+                        }
+                } else if (!ASN1_item_ex_new(pval, it)) {
                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
                            ERR_R_NESTED_ASN1_ERROR);
                        goto err;
@@ -325,6 +333,19 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
                if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
                        goto auxerr;
+                /* Free up and zero any ADB found */
+                for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        if (tt->flags & ASN1_TFLG_ADB_MASK) {
+                                const ASN1_TEMPLATE *seqtt;
+                                ASN1_VALUE **pseqval;
+                                seqtt = asn1_do_adb(pval, tt, 1);
+                                if (!seqtt)
+                                        goto err;
+                                pseqval = asn1_get_field_ptr(pval, seqtt);
+                                ASN1_template_free(pseqval, seqtt);
+                        }
+                }
                /* Get each field entry */
                for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
                        const ASN1_TEMPLATE *seqtt;
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index 70d38221b6..168c2c0fcd 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.23 2015/02/11 04:00:39 jsing Exp $ */
+/* $OpenBSD: x_x509.c,v 1.24 2015/03/19 14:00:22 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -313,16 +313,20 @@ d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
        /* Save start position */
        q = *pp;
-        ret = d2i_X509(a, pp, length);
+        ret = d2i_X509(NULL, pp, length);
        /* If certificate unreadable then forget it */
        if (!ret)
                return NULL;
        /* update length */
        length -= *pp - q;
-        if (!length)
+        if (length > 0) {
-                return ret;
+                if (!d2i_X509_CERT_AUX(&ret->aux, pp, length))
-        if (!d2i_X509_CERT_AUX(&ret->aux, pp, length))
+                        goto err;
-                goto err;
+        }
+        if (a != NULL) {
+                X509_free(*a);
+                *a = ret;
+        }
        return ret;
 err:
author	tedu <>	2015-03-19 14:00:22 +0000
committer	tedu <>	2015-03-19 14:00:22 +0000
commit	985dda77b7930c0837c4acb74b7bd23252f849c1 (patch)
tree	e1849327a9d18d917e7698c775d31f7ae7c4e34f /src/lib/libcrypto/asn1
parent	6b3d8d3164d1b68d078a0cf83583f3dd8bbcb340 (diff)
download	openbsd-985dda77b7930c0837c4acb74b7bd23252f849c1.tar.gz openbsd-985dda77b7930c0837c4acb74b7bd23252f849c1.tar.bz2 openbsd-985dda77b7930c0837c4acb74b7bd23252f849c1.zip

diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c index fe6ce5ee9f..af5d64d056 100644 --- a/src/lib/libcrypto/asn1/a_int.c +++ b/src/lib/libcrypto/asn1/a_int.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: a_int.c,v 1.25 2015/02/10 08:33:10 jsing Exp $ */	1	/* $OpenBSD: a_int.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -268,7 +268,7 @@ c2i_ASN1_INTEGER(ASN1_INTEGER a, const unsigned char pp, long len)
268		268
269	err:	269	err:
270	ASN1err(ASN1_F_C2I_ASN1_INTEGER, i);	270	ASN1err(ASN1_F_C2I_ASN1_INTEGER, i);
271	if ((ret != NULL) && ((a == NULL) \|\| (*a != ret)))	271	if (a == NULL \|\| *a != ret)
272	M_ASN1_INTEGER_free(ret);	272	M_ASN1_INTEGER_free(ret);
273	return (NULL);	273	return (NULL);
274	}	274	}
@@ -335,7 +335,7 @@ d2i_ASN1_UINTEGER(ASN1_INTEGER a, const unsigned char pp, long length)
335		335
336	err:	336	err:
337	ASN1err(ASN1_F_D2I_ASN1_UINTEGER, i);	337	ASN1err(ASN1_F_D2I_ASN1_UINTEGER, i);
338	if ((ret != NULL) && ((a == NULL) \|\| (*a != ret)))	338	if (a == NULL \|\| *a != ret)
339	M_ASN1_INTEGER_free(ret);	339	M_ASN1_INTEGER_free(ret);
340	return (NULL);	340	return (NULL);
341	}	341	}


diff --git a/src/lib/libcrypto/asn1/a_set.c b/src/lib/libcrypto/asn1/a_set.c index ba4f28be34..63d55c3714 100644 --- a/src/lib/libcrypto/asn1/a_set.c +++ b/src/lib/libcrypto/asn1/a_set.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: a_set.c,v 1.16 2014/07/11 08:44:47 jsing Exp $ */	1	/* $OpenBSD: a_set.c,v 1.17 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -225,7 +225,7 @@ d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) a, const unsigned char pp, long length,
225	return ret;	225	return ret;
226		226
227	err:	227	err:
228	if (ret != NULL && (a == NULL \|\| *a != ret)) {	228	if (a == NULL \|\| *a != ret) {
229	if (free_func != NULL)	229	if (free_func != NULL)
230	sk_OPENSSL_BLOCK_pop_free(ret, free_func);	230	sk_OPENSSL_BLOCK_pop_free(ret, free_func);
231	else	231	else


diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c index 7c732cfec5..38b3c65beb 100644 --- a/src/lib/libcrypto/asn1/a_type.c +++ b/src/lib/libcrypto/asn1/a_type.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: a_type.c,v 1.15 2015/02/10 08:33:10 jsing Exp $ */	1	/* $OpenBSD: a_type.c,v 1.16 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -119,7 +119,9 @@ ASN1_TYPE_cmp(ASN1_TYPE a, ASN1_TYPE b)
119	case V_ASN1_OBJECT:	119	case V_ASN1_OBJECT:
120	result = OBJ_cmp(a->value.object, b->value.object);	120	result = OBJ_cmp(a->value.object, b->value.object);
121	break;	121	break;
122		122	case V_ASN1_BOOLEAN:
		123	result = a->value.boolean - b->value.boolean;
		124	break;
123	case V_ASN1_NULL:	125	case V_ASN1_NULL:
124	result = 0; /* They do not have content. */	126	result = 0; /* They do not have content. */
125	break;	127	break;


diff --git a/src/lib/libcrypto/asn1/d2i_pr.c b/src/lib/libcrypto/asn1/d2i_pr.c index 14f08e1380..68d02177c4 100644 --- a/src/lib/libcrypto/asn1/d2i_pr.c +++ b/src/lib/libcrypto/asn1/d2i_pr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d2i_pr.c,v 1.13 2015/02/11 03:19:37 doug Exp $ */	1	/* $OpenBSD: d2i_pr.c,v 1.14 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -118,7 +118,7 @@ d2i_PrivateKey(int type, EVP_PKEY a, const unsigned char pp, long length)
118	return (ret);	118	return (ret);
119		119
120	err:	120	err:
121	if ((ret != NULL) && ((a == NULL) \|\| (*a != ret)))	121	if (a == NULL \|\| *a != ret)
122	EVP_PKEY_free(ret);	122	EVP_PKEY_free(ret);
123	return (NULL);	123	return (NULL);
124	}	124	}


diff --git a/src/lib/libcrypto/asn1/d2i_pu.c b/src/lib/libcrypto/asn1/d2i_pu.c index df6fea4af5..e917356254 100644 --- a/src/lib/libcrypto/asn1/d2i_pu.c +++ b/src/lib/libcrypto/asn1/d2i_pu.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d2i_pu.c,v 1.12 2014/07/11 08:44:47 jsing Exp $ */	1	/* $OpenBSD: d2i_pu.c,v 1.13 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -130,7 +130,7 @@ d2i_PublicKey(int type, EVP_PKEY a, const unsigned char pp, long length)
130	return (ret);	130	return (ret);
131		131
132	err:	132	err:
133	if ((ret != NULL) && ((a == NULL) \|\| (*a != ret)))	133	if (a == NULL \|\| *a != ret)
134	EVP_PKEY_free(ret);	134	EVP_PKEY_free(ret);
135	return (NULL);	135	return (NULL);
136	}	136	}


diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c index bb369fde6e..d3a7431356 100644 --- a/src/lib/libcrypto/asn1/n_pkey.c +++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: n_pkey.c,v 1.25 2015/02/11 04:00:39 jsing Exp $ */	1	/* $OpenBSD: n_pkey.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -340,11 +340,11 @@ d2i_RSA_NET(RSA a, const unsigned char pp, long length,
340	return NULL;	340	return NULL;
341	}	341	}
342		342
343	if ((enckey->os->length != 11) \|\| (strncmp("private-key",	343	/* XXX 11 == strlen("private-key") */
344	(char *)enckey->os->data, 11) != 0)) {	344	if (enckey->os->length != 11 \|\|
		345	memcmp("private-key", enckey->os->data, 11) != 0) {
345	ASN1err(ASN1_F_D2I_RSA_NET, ASN1_R_PRIVATE_KEY_HEADER_MISSING);	346	ASN1err(ASN1_F_D2I_RSA_NET, ASN1_R_PRIVATE_KEY_HEADER_MISSING);
346	NETSCAPE_ENCRYPTED_PKEY_free(enckey);	347	goto err;
347	return NULL;
348	}	348	}
349	if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4) {	349	if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4) {
350	ASN1err(ASN1_F_D2I_RSA_NET,	350	ASN1err(ASN1_F_D2I_RSA_NET,


diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c index 791a10a9c0..7d61a6a233 100644 --- a/src/lib/libcrypto/asn1/tasn_dec.c +++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tasn_dec.c,v 1.25 2015/02/14 15:23:57 miod Exp $ */	1	/* $OpenBSD: tasn_dec.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2000.	3	* project 2000.
4	*/	4	*/
@@ -238,8 +238,16 @@ ASN1_item_ex_d2i(ASN1_VALUE pval, const unsigned char in, long len,
238	if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))	238	if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
239	goto auxerr;	239	goto auxerr;
240		240
241	/* Allocate structure */	241	if (*pval) {
242	if (!*pval && !ASN1_item_ex_new(pval, it)) {	242	/* Free up and zero CHOICE value if initialised */
		243	i = asn1_get_choice_selector(pval, it);
		244	if ((i >= 0) && (i < it->tcount)) {
		245	tt = it->templates + i;
		246	pchptr = asn1_get_field_ptr(pval, tt);
		247	ASN1_template_free(pchptr, tt);
		248	asn1_set_choice_selector(pval, -1, it);
		249	}
		250	} else if (!ASN1_item_ex_new(pval, it)) {
243	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,	251	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
244	ERR_R_NESTED_ASN1_ERROR);	252	ERR_R_NESTED_ASN1_ERROR);
245	goto err;	253	goto err;
@@ -325,6 +333,19 @@ ASN1_item_ex_d2i(ASN1_VALUE pval, const unsigned char in, long len,
325	if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))	333	if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
326	goto auxerr;	334	goto auxerr;
327		335
		336	/* Free up and zero any ADB found */
		337	for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
		338	if (tt->flags & ASN1_TFLG_ADB_MASK) {
		339	const ASN1_TEMPLATE *seqtt;
		340	ASN1_VALUE **pseqval;
		341	seqtt = asn1_do_adb(pval, tt, 1);
		342	if (!seqtt)
		343	goto err;
		344	pseqval = asn1_get_field_ptr(pval, seqtt);
		345	ASN1_template_free(pseqval, seqtt);
		346	}
		347	}
		348
328	/* Get each field entry */	349	/* Get each field entry */
329	for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {	350	for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
330	const ASN1_TEMPLATE *seqtt;	351	const ASN1_TEMPLATE *seqtt;


diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c index 70d38221b6..168c2c0fcd 100644 --- a/src/lib/libcrypto/asn1/x_x509.c +++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x_x509.c,v 1.23 2015/02/11 04:00:39 jsing Exp $ */	1	/* $OpenBSD: x_x509.c,v 1.24 2015/03/19 14:00:22 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -313,16 +313,20 @@ d2i_X509_AUX(X509 a, const unsigned char pp, long length)
313		313
314	/* Save start position */	314	/* Save start position */
315	q = *pp;	315	q = *pp;
316	ret = d2i_X509(a, pp, length);	316	ret = d2i_X509(NULL, pp, length);
317	/* If certificate unreadable then forget it */	317	/* If certificate unreadable then forget it */
318	if (!ret)	318	if (!ret)
319	return NULL;	319	return NULL;
320	/* update length */	320	/* update length */
321	length -= *pp - q;	321	length -= *pp - q;
322	if (!length)	322	if (length > 0) {
323	return ret;	323	if (!d2i_X509_CERT_AUX(&ret->aux, pp, length))
324	if (!d2i_X509_CERT_AUX(&ret->aux, pp, length))	324	goto err;
325	goto err;	325	}
		326	if (a != NULL) {
		327	X509_free(*a);
		328	*a = ret;
		329	}
326	return ret;	330	return ret;
327		331
328	err:	332	err: