From 34580c70507efc9093560bfbcf1ddd9260243446 Mon Sep 17 00:00:00 2001 From: doug <> Date: Sat, 7 Feb 2015 04:37:35 +0000 Subject: Only call free in CBB_init(). CBB_init_fixed() should not call free because it can lead to use after free or double free bugs. The caller should be responsible for creating and destroying the buffer. From BoringSSL commit a84f06fc1eee6ea25ce040675fbad72c532afece miod agrees with the reasoning ok jsing@, beck@ --- src/lib/libssl/bs_cbb.c | 9 ++++++--- src/lib/libssl/src/ssl/bs_cbb.c | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'src/lib/libssl') diff --git a/src/lib/libssl/bs_cbb.c b/src/lib/libssl/bs_cbb.c index 94ca54f43b..eed8091698 100644 --- a/src/lib/libssl/bs_cbb.c +++ b/src/lib/libssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.3 2015/02/06 22:22:33 doug Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.4 2015/02/07 04:37:35 doug Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -29,7 +29,6 @@ cbb_init(CBB *cbb, uint8_t *buf, size_t cap) base = malloc(sizeof(struct cbb_buffer_st)); if (base == NULL) { - free(buf); return 0; } @@ -53,7 +52,11 @@ CBB_init(CBB *cbb, size_t initial_capacity) if (initial_capacity > 0 && buf == NULL) return 0; - return cbb_init(cbb, buf, initial_capacity); + if (!cbb_init(cbb, buf, initial_capacity)) { + free(buf); + return 0; + } + return 1; } int diff --git a/src/lib/libssl/src/ssl/bs_cbb.c b/src/lib/libssl/src/ssl/bs_cbb.c index 94ca54f43b..eed8091698 100644 --- a/src/lib/libssl/src/ssl/bs_cbb.c +++ b/src/lib/libssl/src/ssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.3 2015/02/06 22:22:33 doug Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.4 2015/02/07 04:37:35 doug Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -29,7 +29,6 @@ cbb_init(CBB *cbb, uint8_t *buf, size_t cap) base = malloc(sizeof(struct cbb_buffer_st)); if (base == NULL) { - free(buf); return 0; } @@ -53,7 +52,11 @@ CBB_init(CBB *cbb, size_t initial_capacity) if (initial_capacity > 0 && buf == NULL) return 0; - return cbb_init(cbb, buf, initial_capacity); + if (!cbb_init(cbb, buf, initial_capacity)) { + free(buf); + return 0; + } + return 1; } int -- cgit v1.2.3-55-g6feb