generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix possible memory leak on BUF_MEM_grow_clean failure

Browse Source 
backport of 3eb70c5ebae6f2b5fd6034ed5af14910c8479688
shorter changes

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
FdaSilvaYY 2016-01-29 19:49:38 +01:00 committed by Rich Salz
parent a3762a92d6
commit e9cf5f0366
1 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
crypto/asn1/tasn_dec.c
View File

@ -715,9 +715,9 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
{
int ret = 0, utype;
long plen;
char cst, inf, free_cont = 0;
char cst, inf, free_cont = 1;
const unsigned char *p;
BUF_MEM buf;
BUF_MEM buf = { 0, NULL, 0, 0 };
const unsigned char *cont = NULL;
long len;
if (!pval) {
@ -793,7 +793,6 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
} else {
len = p - cont + plen;
p += plen;
buf.data = NULL;
}
} else if (cst) {
if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
@ -802,9 +801,6 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_PRIMITIVE);
return 0;
}
buf.length = 0;
buf.max = 0;
buf.data = NULL;
/*
* Should really check the internal tags are correct but some things
* may get this wrong. The relevant specs say that constructed string
@ -812,18 +808,16 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
* So instead just check for UNIVERSAL class and ignore the tag.
*/
if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) {
free_cont = 1;
goto err;
}
len = buf.length;
/* Append a final null to string */
if (!BUF_MEM_grow_clean(&buf, len + 1)) {
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
return 0;
goto err;
}
buf.data[len] = 0;
cont = (const unsigned char *)buf.data;
free_cont = 1;
} else {
cont = p;
len = plen;
@ -831,6 +825,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
}
/* We now have content length and type: translate into a structure */
/* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
goto err;