The branch master has been updated via 59053968e756e9063c512fba59717c32621e3f1a (commit) via abcf241114c4dc33af95288ae7f7d10916c67db0 (commit) from 8db7946ee879ce483f4c81141926e1357aa6b941 (commit)
- Log ----------------------------------------------------------------- commit 59053968e756e9063c512fba59717c32621e3f1a Author: Pavel Kopyl <p.ko...@samsung.com> Date: Fri Nov 3 22:18:35 2017 +0300 do_body: fix heap-use-after-free. The memory pointed to by the 'push' is freed by the X509_NAME_ENTRY_free() in do_body(). The second time it is referenced to (indirectly) in certify_cert:X509_REQ_free(). Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4698) commit abcf241114c4dc33af95288ae7f7d10916c67db0 Author: Pavel Kopyl <p.ko...@samsung.com> Date: Tue Nov 7 15:28:18 2017 +0300 X509V3_EXT_add_nconf_sk, X509v3_add_ext: fix errors handling X509v3_add_ext: free 'sk' if the memory pointed to by it was malloc-ed inside this function. X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails. This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num(). Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4698) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 1 - crypto/x509/x509_v3.c | 3 ++- crypto/x509v3/v3_conf.c | 8 ++++++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 26c0778..2819fea 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1556,7 +1556,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (push != NULL) { if (!X509_NAME_add_entry(subject, push, -1, 0)) { - X509_NAME_ENTRY_free(push); BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index a09b0ce..b439030 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -128,7 +128,8 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE); err2: X509_EXTENSION_free(new_ex); - sk_X509_EXTENSION_free(sk); + if (x != NULL && *x == NULL) + sk_X509_EXTENSION_free(sk); return NULL; } diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index 711ff02..59caa31 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -313,8 +313,12 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, return 0; if (ctx->flags == X509V3_CTX_REPLACE) delete_ext(*sk, ext); - if (sk) - X509v3_add_ext(sk, ext, -1); + if (sk != NULL) { + if (X509v3_add_ext(sk, ext, -1) == NULL) { + X509_EXTENSION_free(ext); + return 0; + } + } X509_EXTENSION_free(ext); } return 1; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits