Not quite, because now you avoid the potential double free and instead leak ret itself because of how ASN1_STRING_free works.. You need to do this slightly differently.
On Sun, Apr 20, 2014 at 9:37 PM, Dirk Engling <[email protected]> wrote: > On 21.04.14 04:56, Ted Unangst wrote: > >> Also, can you include diffs inline please? One diff per email. Maybe >> just one or two emails to start, then try sending the rest after we >> see how that goes? > > fix double free in d2i_ASN1_bytes by setting ret->data = NULL after > free, before potential goto err; > > Index: a_bytes.c > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_bytes.c,v > retrieving revision 1.10 > diff -u -r1.10 a_bytes.c > --- a_bytes.c 17 Apr 2014 16:14:15 -0000 1.10 > +++ a_bytes.c 21 Apr 2014 03:35:25 -0000 > @@ -205,6 +205,7 @@ > if ((ret->length < len) || (ret->data == NULL)) { > if (ret->data != NULL) > free(ret->data); > + ret->data = NULL; > s = (unsigned char *)malloc((int)len + 1); > if (s == NULL) { > i = ERR_R_MALLOC_FAILURE; >
