diff options
author | Matt Caswell <matt@openssl.org> | 2015-03-19 10:16:32 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-03-19 13:01:13 +0000 |
commit | 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f (patch) | |
tree | ef0d4188017e0a8db017b5b3eaac83193faced75 /crypto/asn1/x_x509.c | |
parent | 367eab2f9f1d1131356118507d21534558863365 (diff) | |
download | openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.tar.gz |
Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/asn1/x_x509.c')
-rw-r--r-- | crypto/asn1/x_x509.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index f487dbbc3a..36f6ff4362 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -168,8 +168,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) { const unsigned char *q; X509 *ret; + int freeret = 0; + /* Save start position */ q = *pp; + + if(!a || *a == NULL) { + freeret = 1; + } ret = d2i_X509(a, pp, length); /* If certificate unreadable then forget it */ if (!ret) @@ -182,7 +188,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - X509_free(ret); + if(freeret) { + X509_free(ret); + if (a) + *a = NULL; + } return NULL; } |