Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209 Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-03-19 10:16:32 +0000
committer: Matt Caswell <matt@openssl.org> 2015-03-19 13:01:13 +0000
commit: 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f (patch)
tree: ef0d4188017e0a8db017b5b3eaac83193faced75 /crypto/asn1/x_x509.c
parent: 367eab2f9f1d1131356118507d21534558863365 (diff)
download: openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.zip
openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.tar.gz
openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.tar.bz2
1 files changed, 11 insertions, 1 deletions
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index f487dbb..36f6ff4 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -168,8 +168,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
     const unsigned char *q;
     X509 *ret;
+    int freeret = 0;
+
     /* Save start position */
     q = *pp;
+
+    if(!a || *a == NULL) {
+        freeret = 1;
+    }
     ret = d2i_X509(a, pp, length);
     /* If certificate unreadable then forget it */
     if (!ret)
@@ -182,7 +188,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
         goto err;
     return ret;
  err:
-    X509_free(ret);
+    if(freeret) {
+        X509_free(ret);
+        if (a)
+            *a = NULL;
+    }
     return NULL;
 }
author	Matt Caswell <matt@openssl.org>	2015-03-19 10:16:32 +0000
committer	Matt Caswell <matt@openssl.org>	2015-03-19 13:01:13 +0000
commit	5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f (patch)
tree	ef0d4188017e0a8db017b5b3eaac83193faced75 /crypto/asn1/x_x509.c
parent	367eab2f9f1d1131356118507d21534558863365 (diff)
download	openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.zip openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.tar.gz openssl-5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.tar.bz2