From fae403f23baa4e1b63122662c3ebdf9a99097ae3 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 1 May 2021 13:16:30 +0000
Subject: Plug leak in c2i_ASN1_OBJECT

When using the object reuse facility of c2i_ASN1_OBJECT, the dynamically
allocated strings a may contain are set to NULL, so we must free them
beforehand. Also clear the flag, because that's what OpenSSL chose to do.

From Richard Levitte OpenSSL 1.1.1 65b88a75921533ada8b465bc8d5c0817ad927947

ok inoguchi
---
 src/lib/libcrypto/asn1/a_object.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 16c3a1c0fd..8600f80474 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_object.c,v 1.32 2021/05/01 13:16:30 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -304,8 +304,6 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 		}
 	}
 
-	/* only the ASN1_OBJECTs from the 'table' will have values
-	 * for ->sn or ->ln */
 	if ((a == NULL) || ((*a) == NULL) ||
 	    !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {
 		if ((ret = ASN1_OBJECT_new()) == NULL)
@@ -327,6 +325,13 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 
 	memcpy(data, p, length);
 
+	/* If there are dynamic strings, free them here, and clear the flag. */
+	if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) {
+		free((void *)ret->sn);
+		free((void *)ret->ln);
+		ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS;
+	}
+
 	/* reattach data to object, after which it remains const */
 	ret->data = data;
 	ret->length = length;
-- 
cgit v1.2.3-55-g6feb