Plug leak in c2i_ASN1_OBJECT

When using the object reuse facility of c2i_ASN1_OBJECT, the dynamically
allocated strings a may contain are set to NULL, so we must free them
beforehand. Also clear the flag, because that's what OpenSSL chose to do.

From Richard Levitte OpenSSL 1.1.1 65b88a75921533ada8b465bc8d5c0817ad927947

ok inoguchi

1 files changed, 8 insertions, 3 deletions

diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 16c3a1c0fd..8600f80474 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_object.c,v 1.32 2021/05/01 13:16:30 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -304,8 +304,6 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
                 }
         }
 
-        /* only the ASN1_OBJECTs from the 'table' will have values
-         * for ->sn or ->ln */
         if ((a == NULL) || ((*a) == NULL) ||
             !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {
                 if ((ret = ASN1_OBJECT_new()) == NULL)
@@ -327,6 +325,13 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 
         memcpy(data, p, length);
 
+        /* If there are dynamic strings, free them here, and clear the flag. */
+        if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) {
+                free((void *)ret->sn);
+                free((void *)ret->ln);
+                ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS;
+        }
+
         /* reattach data to object, after which it remains const */
         ret->data = data;
         ret->length = length;