[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Wed Jul 5 09:14:11 UTC 2017


The branch master has been updated
       via  67f060acefae34d820ccdb2f560d86ed10633500 (commit)
      from  efc21a513f1c5227cb56372fa65270f49d234b09 (commit)


- Log -----------------------------------------------------------------
commit 67f060acefae34d820ccdb2f560d86ed10633500
Author: Richard Levitte <levitte at openssl.org>
Date:   Wed Jul 5 11:03:34 2017 +0200

    Avoid possible memleak in X509_policy_check()
    
    When tree_calculate_user_set() fails, a jump to error failed to
    deallocate a possibly allocated |auth_nodes|.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/3850)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509v3/pcy_tree.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 9f9246b..b3d1983 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -638,6 +638,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
 {
     int init_ret;
     int ret;
+    int calc_ret;
     X509_POLICY_TREE *tree = NULL;
     STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
 
@@ -675,11 +676,14 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
     }
 
     /* Tree is not empty: continue */
-    if ((ret = tree_calculate_authority_set(tree, &auth_nodes)) == 0 ||
-        !tree_calculate_user_set(tree, policy_oids, auth_nodes))
+
+    if ((calc_ret = tree_calculate_authority_set(tree, &auth_nodes)) == 0)
         goto error;
-    if (ret == TREE_CALC_OK_DOFREE)
+    ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
+    if (calc_ret == TREE_CALC_OK_DOFREE)
         sk_X509_POLICY_NODE_free(auth_nodes);
+    if (!ret)
+        goto error;
 
     *ptree = tree;
 


More information about the openssl-commits mailing list