On Tue, Dec 22, 2015 at 06:53:54AM +0000, Viktor Dukhovni wrote: > On Tue, Dec 22, 2015 at 04:33:45AM +0000, Srinivas Koripella via RT wrote: > > > There is a minor issue with X509_STORE_CTX_init and its usage. Most of > > the callers of X509_STORE_CTX_init use a stack variable and pass its > > address as the ctx argument to this function. However, X509_STORE_CTX_init > > in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free > > on this stack variable. This in theory should be ok as the underlying > > free implementation should probably be a no-op as this address is from > > the stack. > > Thanks for the report. The bug was introduced way back on 2001/09/01 > by commit 79aa04ef27f69a1149d4d0e72d2d2953b6241ef0 and is present > in OpenSSL 0.9.8 through 1.0.2. > > In the "master" development branch the extraneous "free" is gone, > but the code is still not quite right, because the memset removed > in 2001 really does belong (early) in X509_STORE_CTX_init() and > should have been removed from X509_STORE_CTX_cleanup() instead, > where zeroing data that is invalidated by cleanup is of course. > > Try the (lightly tested) patch below my signature.
Note, that patch was for 1.0.2e. No idea how cleanly it applies to other releases. -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev