[openssl] master update
Matt Caswell
matt at openssl.org
Wed Apr 1 16:23:38 UTC 2020
The branch master has been updated
via fe56d5951f0b42fd3ff1cf42a96d07f06f9692bc (commit)
from a4a93bbfb0e679eaa249f77c7c4e7e823ca870ef (commit)
- Log -----------------------------------------------------------------
commit fe56d5951f0b42fd3ff1cf42a96d07f06f9692bc
Author: Matt Caswell <matt at openssl.org>
Date: Mon Mar 30 14:15:06 2020 +0100
Don't double free a DH object
Having created a DH object and assigned it to an EVP_PKEY - we should
not free both the EVP_PKEY and the original DH. This will lead to a
double free occurring.
This issue was discovered and reported by GitHub Security Lab team member
Agustin Gianni.
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11441)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem_clnt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 534902f9b9..4c4e6cb209 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2152,9 +2152,10 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
ERR_R_EVP_LIB);
goto err;
}
+ dh = NULL;
if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
- 0, dh)) {
+ 0, EVP_PKEY_get0_DH(peer_tmp))) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
SSL_R_DH_KEY_TOO_SMALL);
goto err;
More information about the openssl-commits
mailing list