Revert ca.c r1.7 - BN_to_ASN1_INTEGER() only allocates an ASN.1 integer

when it is not passed a reference to one. In this case, it is passed a
reference to an ASN.1 integer that is part of the X509 ASN.1 data
structure. Freeing this causes bad things to happen, since it is used and
then freed later on.

Found the hard way by kinichiro inoguchi.

1 files changed, 2 insertions, 6 deletions

diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index c7b685ad2b..8500abe4ea 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.7 2015/07/19 05:50:47 doug Exp $ */
+/* $OpenBSD: ca.c,v 1.8 2015/07/22 15:52:32 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1516,7 +1516,6 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
         ASN1_UTCTIME *tm, *tmptm;
         ASN1_STRING *str, *str2;
         ASN1_OBJECT *obj;
-        ASN1_INTEGER *check_int;
         X509 *ret = NULL;
         X509_CINF *ci;
         X509_NAME_ENTRY *ne;
@@ -1806,11 +1805,8 @@ again2:
                 goto err;
 #endif
 
-        if ((check_int = BN_to_ASN1_INTEGER(serial, ci->serialNumber)) == NULL)
+        if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
                 goto err;
-        M_ASN1_INTEGER_free(check_int);
-        check_int = NULL;
-
         if (selfsign) {
                 if (!X509_set_issuer_name(ret, subject))
                         goto err;