Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209 Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 10:16:32 +00:00 · 2015-03-19 10:16:32 +00:00 · c380bff888
commit c380bff888
parent 6655ac4e45
2 changed files with 16 additions and 3 deletions
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@ -179,8 +179,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
    const unsigned char *q;
    X509 *ret;
    int freeret = 0;
    /* Save start position */
    q = *pp;
    if(!a || *a == NULL) {
        freeret = 1;
    }
    ret = d2i_X509(a, pp, length);
    /* If certificate unreadable then forget it */
    if (!ret)
@ -193,7 +199,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
        goto err;
    return ret;
 err:
-    X509_free(ret);
+    if(freeret) {
        X509_free(ret);
        if (a)
            *a = NULL;
    }
    return NULL;
 }
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@ -1196,16 +1196,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
            ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
            return NULL;
        }
        if (a)
            *a = ret;
    } else
        ret = *a;
    if (!d2i_ECPKParameters(&ret->group, in, len)) {
        ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
        if (a == NULL || *a != ret)
             EC_KEY_free(ret);
        return NULL;
    }
    if (a)
        *a = ret;
    return ret;
 }