diff options
| author | miod <> | 2015-07-15 17:41:56 +0000 |
|---|---|---|
| committer | miod <> | 2015-07-15 17:41:56 +0000 |
| commit | 27eb6bc04fb78763e85062ff59f306d666290253 (patch) | |
| tree | 68a348f754c211a1512b05ddfa28be629cbeb5ac /src | |
| parent | d831c78b3e48383635e9bfa30710637001e9782d (diff) | |
| download | openbsd-27eb6bc04fb78763e85062ff59f306d666290253.tar.gz openbsd-27eb6bc04fb78763e85062ff59f306d666290253.tar.bz2 openbsd-27eb6bc04fb78763e85062ff59f306d666290253.zip | |
Fix two theoretical NULL pointer dereferences which can only happen if you
have seriously corrupted your memory; Coverity CID 21708 and 21721.
While there, plug a memory leak upon error in x509_name_canon().
ok bcook@ beck@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/asn1/x_name.c | 13 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/asn1/x_name.c | 13 |
2 files changed, 18 insertions, 8 deletions
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c index 51c5a0ae41..569c6fe346 100644 --- a/src/lib/libcrypto/asn1/x_name.c +++ b/src/lib/libcrypto/asn1/x_name.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x_name.c,v 1.29 2015/02/14 15:29:29 miod Exp $ */ | 1 | /* $OpenBSD: x_name.c,v 1.30 2015/07/15 17:41:56 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -377,7 +377,8 @@ x509_name_encode(X509_NAME *a) | |||
| 377 | goto memerr; | 377 | goto memerr; |
| 378 | set = entry->set; | 378 | set = entry->set; |
| 379 | } | 379 | } |
| 380 | if (!sk_X509_NAME_ENTRY_push(entries, entry)) | 380 | if (entries == NULL /* if entry->set is bogusly -1 */ || |
| 381 | !sk_X509_NAME_ENTRY_push(entries, entry)) | ||
| 381 | goto memerr; | 382 | goto memerr; |
| 382 | } | 383 | } |
| 383 | len = ASN1_item_ex_i2d(&intname.a, NULL, | 384 | len = ASN1_item_ex_i2d(&intname.a, NULL, |
| @@ -449,8 +450,11 @@ x509_name_canon(X509_NAME *a) | |||
| 449 | entries = sk_X509_NAME_ENTRY_new_null(); | 450 | entries = sk_X509_NAME_ENTRY_new_null(); |
| 450 | if (!entries) | 451 | if (!entries) |
| 451 | goto err; | 452 | goto err; |
| 452 | if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) | 453 | if (sk_STACK_OF_X509_NAME_ENTRY_push(intname, |
| 454 | entries) == 0) { | ||
| 455 | sk_X509_NAME_ENTRY_free(entries); | ||
| 453 | goto err; | 456 | goto err; |
| 457 | } | ||
| 454 | set = entry->set; | 458 | set = entry->set; |
| 455 | } | 459 | } |
| 456 | tmpentry = X509_NAME_ENTRY_new(); | 460 | tmpentry = X509_NAME_ENTRY_new(); |
| @@ -461,7 +465,8 @@ x509_name_canon(X509_NAME *a) | |||
| 461 | goto err; | 465 | goto err; |
| 462 | if (!asn1_string_canon(tmpentry->value, entry->value)) | 466 | if (!asn1_string_canon(tmpentry->value, entry->value)) |
| 463 | goto err; | 467 | goto err; |
| 464 | if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) | 468 | if (entries == NULL /* if entry->set is bogusly -1 */ || |
| 469 | !sk_X509_NAME_ENTRY_push(entries, tmpentry)) | ||
| 465 | goto err; | 470 | goto err; |
| 466 | tmpentry = NULL; | 471 | tmpentry = NULL; |
| 467 | } | 472 | } |
diff --git a/src/lib/libssl/src/crypto/asn1/x_name.c b/src/lib/libssl/src/crypto/asn1/x_name.c index 51c5a0ae41..569c6fe346 100644 --- a/src/lib/libssl/src/crypto/asn1/x_name.c +++ b/src/lib/libssl/src/crypto/asn1/x_name.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x_name.c,v 1.29 2015/02/14 15:29:29 miod Exp $ */ | 1 | /* $OpenBSD: x_name.c,v 1.30 2015/07/15 17:41:56 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -377,7 +377,8 @@ x509_name_encode(X509_NAME *a) | |||
| 377 | goto memerr; | 377 | goto memerr; |
| 378 | set = entry->set; | 378 | set = entry->set; |
| 379 | } | 379 | } |
| 380 | if (!sk_X509_NAME_ENTRY_push(entries, entry)) | 380 | if (entries == NULL /* if entry->set is bogusly -1 */ || |
| 381 | !sk_X509_NAME_ENTRY_push(entries, entry)) | ||
| 381 | goto memerr; | 382 | goto memerr; |
| 382 | } | 383 | } |
| 383 | len = ASN1_item_ex_i2d(&intname.a, NULL, | 384 | len = ASN1_item_ex_i2d(&intname.a, NULL, |
| @@ -449,8 +450,11 @@ x509_name_canon(X509_NAME *a) | |||
| 449 | entries = sk_X509_NAME_ENTRY_new_null(); | 450 | entries = sk_X509_NAME_ENTRY_new_null(); |
| 450 | if (!entries) | 451 | if (!entries) |
| 451 | goto err; | 452 | goto err; |
| 452 | if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) | 453 | if (sk_STACK_OF_X509_NAME_ENTRY_push(intname, |
| 454 | entries) == 0) { | ||
| 455 | sk_X509_NAME_ENTRY_free(entries); | ||
| 453 | goto err; | 456 | goto err; |
| 457 | } | ||
| 454 | set = entry->set; | 458 | set = entry->set; |
| 455 | } | 459 | } |
| 456 | tmpentry = X509_NAME_ENTRY_new(); | 460 | tmpentry = X509_NAME_ENTRY_new(); |
| @@ -461,7 +465,8 @@ x509_name_canon(X509_NAME *a) | |||
| 461 | goto err; | 465 | goto err; |
| 462 | if (!asn1_string_canon(tmpentry->value, entry->value)) | 466 | if (!asn1_string_canon(tmpentry->value, entry->value)) |
| 463 | goto err; | 467 | goto err; |
| 464 | if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) | 468 | if (entries == NULL /* if entry->set is bogusly -1 */ || |
| 469 | !sk_X509_NAME_ENTRY_push(entries, tmpentry)) | ||
| 465 | goto err; | 470 | goto err; |
| 466 | tmpentry = NULL; | 471 | tmpentry = NULL; |
| 467 | } | 472 | } |