From be451ae58527f84289f4ad8c0ebc74bb5995f2df Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 1 May 2021 13:16:30 +0000
Subject: Plug leak in c2i_ASN1_OBJECT

When using the object reuse facility of c2i_ASN1_OBJECT, the dynamically
allocated strings a may contain are set to NULL, so we must free them
beforehand. Also clear the flag, because that's what OpenSSL chose to do.

From Richard Levitte OpenSSL 1.1.1 65b88a75921533ada8b465bc8d5c0817ad927947

ok inoguchi
---
 src/lib/libcrypto/asn1/a_object.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 16c3a1c0fd..8600f80474 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_object.c,v 1.32 2021/05/01 13:16:30 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -304,8 +304,6 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 		}
 	}
 
-	/* only the ASN1_OBJECTs from the 'table' will have values
-	 * for ->sn or ->ln */
 	if ((a == NULL) || ((*a) == NULL) ||
 	    !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {
 		if ((ret = ASN1_OBJECT_new()) == NULL)
@@ -327,6 +325,13 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 
 	memcpy(data, p, length);
 
+	/* If there are dynamic strings, free them here, and clear the flag. */
+	if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) {
+		free((void *)ret->sn);
+		free((void *)ret->ln);
+		ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS;
+	}
+
 	/* reattach data to object, after which it remains const */
 	ret->data = data;
 	ret->length = length;
-- 
cgit v1.2.3-55-g6feb