Fix double free in policy check code (CVE-2011-4109)

CHANGES

@@ -4,6 +4,9 @@
 
  Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
 
+  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
+     [Ben Laurie, Kasper <ekasper@google.com>]
+
   *) Clear bytes used for block padding of SSL 3.0 records.
      (CVE-2011-4576)
      [Adam Langley (Google)]

crypto/x509v3/pcy_map.c

@@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF * const *a,
 
 static void policy_map_free(X509_POLICY_REF *map)
 	{
-	if (map->subjectDomainPolicy)
-		ASN1_OBJECT_free(map->subjectDomainPolicy);
 	OPENSSL_free(map);
 	}
 
@@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 	{
 	POLICY_MAPPING *map;
 	X509_POLICY_REF *ref = NULL;
+	ASN1_OBJECT *subjectDomainPolicyRef;
 	X509_POLICY_DATA *data;
 	X509_POLICY_CACHE *cache = x->policy_cache;
 	int i;
@@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 		if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 
 						map->subjectDomainPolicy))
 			goto bad_mapping;
+                /* map->subjectDomainPolicy will be freed when
+                 * cache->data is freed. Set it to NULL to avoid double-free. */
+                subjectDomainPolicyRef = map->subjectDomainPolicy;
+                map->subjectDomainPolicy = NULL;
 		
 		ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
 		if (!ref)
 			goto bad_mapping;
 
-		ref->subjectDomainPolicy = map->subjectDomainPolicy;
-		map->subjectDomainPolicy = NULL;
+		ref->subjectDomainPolicy = subjectDomainPolicyRef;
 		ref->data = data;
 
 		if (!sk_X509_POLICY_REF_push(cache->maps, ref))

crypto/x509v3/pcy_tree.c

@@ -612,6 +612,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
 		case 2:
 		return 1;
 
+                /* Some internal error */
+		case -1:
+		return -1;
+
 		/* Some internal error */
 		case 0:
 		return 0;
@@ -691,4 +695,3 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
 	return 0;
 
 	}
-