[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[Matt Caswell]

The branch OpenSSL_1_1_0-stable has been updated
       via  a9603be1a8484fc17cbcb0f4df953a4c6f37ffa1 (commit)
       via  2d4def005263614d23b9dcbf98f48c145ea1b0cf (commit)
      from  5a19f9ea7a27453d67c09160a8c806e644e844e7 (commit)


- Log -----------------------------------------------------------------
commit a9603be1a8484fc17cbcb0f4df953a4c6f37ffa1
Author: Pavel Kopyl <p.kopyl at samsung.com>
Date:   Fri Nov 3 22:18:35 2017 +0300

    do_body: fix heap-use-after-free.
    
    The memory pointed to by the 'push' is freed by the
    X509_NAME_ENTRY_free() in do_body(). The second time
    it is referenced to (indirectly) in certify_cert:X509_REQ_free().
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4698)

commit 2d4def005263614d23b9dcbf98f48c145ea1b0cf
Author: Pavel Kopyl <p.kopyl at samsung.com>
Date:   Tue Nov 7 15:28:18 2017 +0300

    X509V3_EXT_add_nconf_sk, X509v3_add_ext: fix errors handling
    
    X509v3_add_ext: free 'sk' if the memory pointed to by it
    was malloc-ed inside this function.
    X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails.
    This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num().
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4698)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c               | 1 -
 crypto/x509/x509_v3.c   | 3 ++-
 crypto/x509v3/v3_conf.c | 8 ++++++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 26ca6bb..ad8c5c8 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1560,7 +1560,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
 
             if (push != NULL) {
                 if (!X509_NAME_add_entry(subject, push, -1, 0)) {
-                    X509_NAME_ENTRY_free(push);
                     BIO_printf(bio_err, "Memory allocation failure\n");
                     goto end;
                 }
diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c
index 213e762..cbadd9b 100644
--- a/crypto/x509/x509_v3.c
+++ b/crypto/x509/x509_v3.c
@@ -128,7 +128,8 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
     X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE);
  err2:
     X509_EXTENSION_free(new_ex);
-    sk_X509_EXTENSION_free(sk);
+    if (x != NULL && *x == NULL)
+        sk_X509_EXTENSION_free(sk);
     return (NULL);
 }
 
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index f625ff5..68ceab1 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -313,8 +313,12 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
             return 0;
         if (ctx->flags == X509V3_CTX_REPLACE)
             delete_ext(*sk, ext);
-        if (sk)
-            X509v3_add_ext(sk, ext, -1);
+        if (sk != NULL) {
+            if (X509v3_add_ext(sk, ext, -1) == NULL) {
+                X509_EXTENSION_free(ext);
+                return 0;
+            }
+        }
         X509_EXTENSION_free(ext);
     }
     return 1;