[openssl] master update

Richard Levitte levitte at openssl.org
Thu Apr 18 17:20:59 UTC 2019 

The branch master has been updated
       via  4f29f3a29b8b416a501c7166dbbca5284b198f81 (commit)
      from  87d9955e8cd2f1a2aa7f3a3e1da6c3c828070da1 (commit)


- Log -----------------------------------------------------------------
commit 4f29f3a29b8b416a501c7166dbbca5284b198f81
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Apr 15 13:15:55 2019 +0200

    asn1parse: avoid double free
    
    |str| was used for multiple conflicting purposes.  When using
    '-strictpem', it's used to uniquely hold a reference to the loaded
    payload.  However, when using '-strparse', |str| was re-used to hold
    the position from where to start parsing.
    
    So when '-strparse' and '-strictpem' are were together, |str| ended up
    pointing into data pointed at by |at|, and was yet being freed, with
    the result that the payload it held a reference to became a memory
    leak, and there was a double free conflict when both |str| and |at|
    were being freed.
    
    The situation is resolved by always having |buf| hold the pointer to
    the file data, and always and only use |str| to hold the position to
    start parsing from.  Now, we only need to free |buf| properly and not
    |str|.
    
    Fixes #8752
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/8753)

-----------------------------------------------------------------------

Summary of changes:
 apps/asn1pars.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/apps/asn1pars.c b/apps/asn1pars.c
index 4c1ce48..14f1dca 100644
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv)
     if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
         goto end;
 
+    if ((buf = BUF_MEM_new()) == NULL)
+        goto end;
     if (strictpem) {
-        if (PEM_read_bio(in, &name, &header, &str, &num) !=
-            1) {
+        if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
             BIO_printf(bio_err, "Error reading PEM file\n");
             ERR_print_errors(bio_err);
             goto end;
         }
+        buf->data = (char *)str;
+        buf->length = buf->max = num;
     } else {
-
-        if ((buf = BUF_MEM_new()) == NULL)
-            goto end;
         if (!BUF_MEM_grow(buf, BUFSIZ * 8))
             goto end;           /* Pre-allocate :-) */
 
@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv)
     BUF_MEM_free(buf);
     OPENSSL_free(name);
     OPENSSL_free(header);
-    if (strictpem)
-        OPENSSL_free(str);
     ASN1_TYPE_free(at);
     sk_OPENSSL_STRING_free(osk);
     return ret;

More information about the openssl-commits mailing list