Some dude named Tavis Ormandy reported a bug which has gone unfixed.

http://marc.info/?l=openssl-users&m=138014120223264&w=2
Arguably a doc bug, but we argue not. If you parse a new cert into memory
occupied by a previously verified cert, the new cert will inherit that
state, bypassing future verification checks. To avoid this, we will always
start fresh with a new object.

grudging ok from guenther, after i threatened to make him read the code yet
again. "that ok was way more painful and tiring then it should have been"

2 files changed, 10 insertions, 0 deletions

diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index f19c457169..1ce40039b1 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
         if (!pval)
                 return 0;
+        /* always start fresh */
+        if (*pval) {
+                ASN1_item_ex_free(pval, it);
+                *pval = NULL;
+        }
         if (aux && aux->asn1_cb)
                 asn1_cb = aux->asn1_cb;
         else
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
index f19c457169..1ce40039b1 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 
         if (!pval)
                 return 0;
+        /* always start fresh */
+        if (*pval) {
+                ASN1_item_ex_free(pval, it);
+                *pval = NULL;
+        }
         if (aux && aux->asn1_cb)
                 asn1_cb = aux->asn1_cb;
         else