There is a double free in ocsp_main() the attached patch fixes the issue.
The user provides the -url argument to the ocsp utility and if
OCSP_parse_url fails it frees the variable host then the variable host
is assigned to thost and then the function goes on and goes to end and
then the variable thost is freed causing a double free.
---
Kurt Cancemi
https://www.x64architecture.com
>From 51c092fc2c05091ae874b91a1d53b378d39422e7 Mon Sep 17 00:00:00 2001
From: Kurt Cancemi <k...@x64architecture.com>
Date: Thu, 29 Jan 2015 20:33:06 -0500
Subject: [PATCH] Fix double free in ocsp_main()
---
apps/ocsp.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 4b9d6f6..ca9a984 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -885,12 +885,14 @@ int MAIN(int argc, char **argv)
sk_X509_pop_free(verify_other, X509_free);
sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
- if (thost)
- OPENSSL_free(thost);
- if (tport)
- OPENSSL_free(tport);
- if (tpath)
- OPENSSL_free(tpath);
+ if (!badarg) {
+ if (thost)
+ OPENSSL_free(thost);
+ if (tport)
+ OPENSSL_free(tport);
+ if (tpath)
+ OPENSSL_free(tpath);
+ }
OPENSSL_EXIT(ret);
}
--
2.2.2
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
