generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix double free in DSA private key parsing.

Browse Source 
Fix double free bug when parsing malformed DSA private keys.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

CVE-2016-0705

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6c88c71b4e4825c7bc0489306d062d017634eb88)
This commit is contained in:
Dr. Stephen Henson 2016-02-18 12:47:23 +00:00
parent 3629c49d7a
commit ccb2a61407
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
crypto/dsa/dsa_ameth.c
View File

@ -191,6 +191,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
STACK_OF(ASN1_TYPE) *ndsa = NULL; STACK_OF(ASN1_TYPE) *ndsa = NULL;
DSA *dsa = NULL; DSA *dsa = NULL;
int ret = 0;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0; return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg); X509_ALGOR_get0(NULL, &ptype, &pval, palg);
@ -262,23 +264,21 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
} }
EVP_PKEY_assign_DSA(pkey, dsa); EVP_PKEY_assign_DSA(pkey, dsa);
ret = 1;
goto done;
decerr:
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
dsaerr:
DSA_free(dsa);
done:
BN_CTX_free(ctx); BN_CTX_free(ctx);
if (ndsa) if (ndsa)
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
else else
ASN1_STRING_clear_free(privkey); ASN1_STRING_clear_free(privkey);
return ret;
return 1;
decerr:
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
dsaerr:
BN_CTX_free(ctx);
if (privkey)
ASN1_STRING_clear_free(privkey);
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
DSA_free(dsa);
return 0;
} }
static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)