[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[Richard Levitte]

The branch OpenSSL_1_1_0-stable has been updated
       via  ae45175406f8dbda8cb77abcc9da5374c35a25ba (commit)
      from  1968ea9850f7e50609284756ca78e465e5ee4fb9 (commit)


- Log -----------------------------------------------------------------
commit ae45175406f8dbda8cb77abcc9da5374c35a25ba
Author: Richard Levitte <levitte at openssl.org>
Date:   Sun Jan 29 08:52:02 2017 +0100

    Fix faulty free
    
    On error, i2o_SCT_signature() and i2o_SCT() free a pointer that may
    have wandered off from the start of the allocated block (not currently
    true for i2o_SCT_signature(), but has that potential as the code may
    change.  To avoid this, save away the start of the allocated block and
    free that instead.
    
    Thanks to Guido Vranken for reporting this issue.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2323)
    (cherry picked from commit d85d3c993e322d3e4c3f00be2910faa8c55b40e3)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ct/ct_oct.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/ct/ct_oct.c b/crypto/ct/ct_oct.c
index d3edd39..0dd691c 100644
--- a/crypto/ct/ct_oct.c
+++ b/crypto/ct/ct_oct.c
@@ -153,7 +153,7 @@ err:
 int i2o_SCT_signature(const SCT *sct, unsigned char **out)
 {
     size_t len;
-    unsigned char *p = NULL;
+    unsigned char *p = NULL, *pstart = NULL;
 
     if (!SCT_signature_is_complete(sct)) {
         CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE);
@@ -177,7 +177,7 @@ int i2o_SCT_signature(const SCT *sct, unsigned char **out)
             p = *out;
             *out += len;
         } else {
-            p = OPENSSL_malloc(len);
+            pstart = p = OPENSSL_malloc(len);
             if (p == NULL) {
                 CTerr(CT_F_I2O_SCT_SIGNATURE, ERR_R_MALLOC_FAILURE);
                 goto err;
@@ -193,14 +193,14 @@ int i2o_SCT_signature(const SCT *sct, unsigned char **out)
 
     return len;
 err:
-    OPENSSL_free(p);
+    OPENSSL_free(pstart);
     return -1;
 }
 
 int i2o_SCT(const SCT *sct, unsigned char **out)
 {
     size_t len;
-    unsigned char *p = NULL;
+    unsigned char *p = NULL, *pstart = NULL;
 
     if (!SCT_is_complete(sct)) {
         CTerr(CT_F_I2O_SCT, CT_R_SCT_NOT_SET);
@@ -224,7 +224,7 @@ int i2o_SCT(const SCT *sct, unsigned char **out)
         p = *out;
         *out += len;
     } else {
-        p = OPENSSL_malloc(len);
+        pstart = p = OPENSSL_malloc(len);
         if (p == NULL) {
             CTerr(CT_F_I2O_SCT, ERR_R_MALLOC_FAILURE);
             goto err;
@@ -250,7 +250,7 @@ int i2o_SCT(const SCT *sct, unsigned char **out)
 
     return len;
 err:
-    OPENSSL_free(p);
+    OPENSSL_free(pstart);
     return -1;
 }