From c23a67af7f4a09d29116172b102fabc1c99365fe Mon Sep 17 00:00:00 2001 From: miod <> Date: Mon, 29 Sep 2014 04:20:14 +0000 Subject: check_cert(): be sure to reset ctx->current_crl to NULL before freeing it. X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon failure, for we did not allocate it and it might not come from the heap, such as in check_crl_path() in this very same file where X509_STORE_CTX_init() gets invoked with a stack address. ok bcook@ --- src/lib/libcrypto/x509/x509_vfy.c | 15 +++++---------- src/lib/libssl/src/crypto/x509/x509_vfy.c | 15 +++++---------- 2 files changed, 10 insertions(+), 20 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index ae8484a885..cda8aeafa9 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.37 2014/07/17 07:13:02 logan Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.38 2014/09/29 04:20:14 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -747,6 +747,7 @@ check_cert(X509_STORE_CTX *ctx) goto err; } + ctx->current_crl = NULL; X509_CRL_free(crl); X509_CRL_free(dcrl); crl = NULL; @@ -762,10 +763,9 @@ check_cert(X509_STORE_CTX *ctx) } err: + ctx->current_crl = NULL; X509_CRL_free(crl); X509_CRL_free(dcrl); - - ctx->current_crl = NULL; return ok; } @@ -2100,13 +2100,8 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->check_policy = check_policy; - /* This memset() can't make any sense anyway, so it's removed. As - * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a - * corresponding "new" here and remove this bogus initialisation. */ - /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) { - free(ctx); + if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, + &(ctx->ex_data)) == 0) { X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index ae8484a885..cda8aeafa9 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.37 2014/07/17 07:13:02 logan Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.38 2014/09/29 04:20:14 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -747,6 +747,7 @@ check_cert(X509_STORE_CTX *ctx) goto err; } + ctx->current_crl = NULL; X509_CRL_free(crl); X509_CRL_free(dcrl); crl = NULL; @@ -762,10 +763,9 @@ check_cert(X509_STORE_CTX *ctx) } err: + ctx->current_crl = NULL; X509_CRL_free(crl); X509_CRL_free(dcrl); - - ctx->current_crl = NULL; return ok; } @@ -2100,13 +2100,8 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->check_policy = check_policy; - /* This memset() can't make any sense anyway, so it's removed. As - * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a - * corresponding "new" here and remove this bogus initialisation. */ - /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) { - free(ctx); + if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, + &(ctx->ex_data)) == 0) { X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } -- cgit v1.2.3-55-g6feb