Fix double free in policy check code (CVE-2011-4109)

This commit is contained in:
Dr. Stephen Henson 2012-01-04 19:00:28 +00:00
parent e643112dd8
commit 1db0bbdc76
3 changed files with 13 additions and 5 deletions

View File

@ -4,6 +4,9 @@
Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]

View File

@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF * const *a,
static void policy_map_free(X509_POLICY_REF *map)
{
if (map->subjectDomainPolicy)
ASN1_OBJECT_free(map->subjectDomainPolicy);
OPENSSL_free(map);
}
@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
{
POLICY_MAPPING *map;
X509_POLICY_REF *ref = NULL;
ASN1_OBJECT *subjectDomainPolicyRef;
X509_POLICY_DATA *data;
X509_POLICY_CACHE *cache = x->policy_cache;
int i;
@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
map->subjectDomainPolicy))
goto bad_mapping;
/* map->subjectDomainPolicy will be freed when
* cache->data is freed. Set it to NULL to avoid double-free. */
subjectDomainPolicyRef = map->subjectDomainPolicy;
map->subjectDomainPolicy = NULL;
ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
if (!ref)
goto bad_mapping;
ref->subjectDomainPolicy = map->subjectDomainPolicy;
map->subjectDomainPolicy = NULL;
ref->subjectDomainPolicy = subjectDomainPolicyRef;
ref->data = data;
if (!sk_X509_POLICY_REF_push(cache->maps, ref))

View File

@ -612,6 +612,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
case 2:
return 1;
/* Some internal error */
case -1:
return -1;
/* Some internal error */
case 0:
return 0;
@ -691,4 +695,3 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
return 0;
}