generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix memory leak on invalid CertificateRequest.

Browse Source 
Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit ec66c8c988)
This commit is contained in:
David Benjamin 2016-03-14 15:03:07 -04:00 committed by Dr. Stephen Henson
parent f4bed7c7b6
commit 7a433893ad
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/s3_clnt.c
View File

@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err;
}
xn = NULL;
p += l;
nc += l + 2;
@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
err:
s->state = SSL_ST_ERR;
done:
X509_NAME_free(xn);
if (ca_sk != NULL)
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return (ret);