Bug in openssl 0.9.6: invalid ASN1 sequences cause multiple free calls

Ken Lalonde Wed, 15 Nov 2000 12:07:55 -0800

Invalid ASN1 DSA parameter sequences cause d2i_DSAparams()
to free a data pointer twice, leading to the usual boring chaos.
Fix is appended below.

This same bug appears in the following functions (same fix):
        d2i_DHparams()
        d2i_RSAPrivateKey()
        d2i_DSA_SIG()

Glad to see Rijndael and OCSP in the latest snapshots.
 -- Ken Lalonde, Torus Inc, Toronto Canada

diff -c -r1.1 d2i_dsap.c
*** d2i_dsap.c  2000/11/15 19:56:58     1.1
--- d2i_dsap.c  2000/11/15 19:57:02
***************
*** 84,89 ****
--- 84,90 ----
        if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn;
  
        M_ASN1_BIT_STRING_free(bs);
+       bs = NULL;
  
        M_ASN1_D2I_Finish_2(a);
  
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Bug in openssl 0.9.6: invalid ASN1 sequences cause multiple free calls

Reply via email to