diff options
| author | tb <> | 2021-05-01 13:13:45 +0000 |
|---|---|---|
| committer | tb <> | 2021-05-01 13:13:45 +0000 |
| commit | bda487a9531b508fcb2602e5fddbef19d89ff384 (patch) | |
| tree | 3a4aa4d6f97d60ae302f624d12abae1559776335 /src/lib | |
| parent | 43140dd2d9a01de0fff0ae59aec0e1d7cda76474 (diff) | |
| download | openbsd-bda487a9531b508fcb2602e5fddbef19d89ff384.tar.gz openbsd-bda487a9531b508fcb2602e5fddbef19d89ff384.tar.bz2 openbsd-bda487a9531b508fcb2602e5fddbef19d89ff384.zip | |
Prevent double free in int_TS_RESP_verify_token
If TS_compute_imprint fails after md_alg was allocated, there will be a
double free in its caller. Obvious fix is to null out the output
parameter md_alg just like it's already done for imprint and imprint_len.
From Pauli Dale, OpenSSL 1.1.1, a3dea76f742896b7d75a0c0529c0af1e628bd853
ok inoguchi jsing
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/ts/ts_rsp_verify.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c index 36ead0671a..27515adf68 100644 --- a/src/lib/libcrypto/ts/ts_rsp_verify.c +++ b/src/lib/libcrypto/ts/ts_rsp_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ts_rsp_verify.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ | 1 | /* $OpenBSD: ts_rsp_verify.c,v 1.19 2021/05/01 13:13:45 tb Exp $ */ |
| 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL |
| 3 | * project 2002. | 3 | * project 2002. |
| 4 | */ | 4 | */ |
| @@ -639,6 +639,7 @@ TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg, | |||
| 639 | 639 | ||
| 640 | err: | 640 | err: |
| 641 | X509_ALGOR_free(*md_alg); | 641 | X509_ALGOR_free(*md_alg); |
| 642 | *md_alg = NULL; | ||
| 642 | free(*imprint); | 643 | free(*imprint); |
| 643 | *imprint = NULL; | 644 | *imprint = NULL; |
| 644 | *imprint_len = 0; | 645 | *imprint_len = 0; |