Fix dsa_pub_encode

The return value from ASN1_STRING_new() was not being checked which could lead to a NULL deref in the event of a malloc failure. Also fixed a mem leak in the error path. Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-11 20:19:08 +00:00 · 2015-03-11 20:19:08 +00:00 · 0c7ca4033d
commit 0c7ca4033d
parent 6aa8dab2bb
1 changed files with 8 additions and 6 deletions
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@ -129,21 +129,23 @@ static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
 static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
    DSA *dsa;
-    void *pval = NULL;
    int ptype;
    unsigned char *penc = NULL;
    int penclen;
+    ASN1_STRING *str = NULL;

    dsa = pkey->pkey.dsa;
    if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
-        ASN1_STRING *str;
        str = ASN1_STRING_new();
+        if (!str) {
+            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
        str->length = i2d_DSAparams(dsa, &str->data);
        if (str->length <= 0) {
            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
            goto err;
        }
-        pval = str;
        ptype = V_ASN1_SEQUENCE;
    } else
        ptype = V_ASN1_UNDEF;
@ -158,14 +160,14 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
    }

    if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA),
-                               ptype, pval, penc, penclen))
+                               ptype, str, penc, penclen))
        return 1;

 err:
    if (penc)
        OPENSSL_free(penc);
-    if (pval)
-        ASN1_STRING_free(pval);
+    if (str)
+        ASN1_STRING_free(str);

    return 0;
 }