[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Dr. Stephen Henson steve at openssl.org
Thu Apr 7 18:30:03 UTC 2016

The branch OpenSSL_1_0_1-stable has been updated
       via  7a433893adbe7eab3c41581175493d9e5326ba3f (commit)
      from  f4bed7c7b6fe8459dbc14e28f91c6150013b9c5e (commit)

- Log -----------------------------------------------------------------
commit 7a433893adbe7eab3c41581175493d9e5326ba3f
Author: David Benjamin <davidben at google.com>
Date:   Mon Mar 14 15:03:07 2016 -0400

    Fix memory leak on invalid CertificateRequest.
    Free up parsed X509_NAME structure if the CertificateRequest message
    contains excess data.
    The security impact is considered insignificant. This is a client side
    only leak and a large number of connections to malicious servers would
    be needed to have a significant impact.
    This was found by libFuzzer.
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    Reviewed-by: Stephen Henson <steve at openssl.org>
    (cherry picked from commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7)


Summary of changes:
 ssl/s3_clnt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index cfa5080..9e5875f 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
             goto err;
+        xn = NULL;
         p += l;
         nc += l + 2;
@@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
     s->state = SSL_ST_ERR;
+    X509_NAME_free(xn);
     if (ca_sk != NULL)
         sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
     return (ret);

More information about the openssl-commits mailing list