[openssl] OpenSSL_1_1_1-stable update

Dr. Paul Dale pauli at openssl.org
Tue Apr 20 23:20:33 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  7f424d16c5358a2c5c652cd23b841e44550d1027 (commit)
      from  86a90dc749af91f8a7b8da6628c9ffca2bae3009 (commit)


- Log -----------------------------------------------------------------
commit 7f424d16c5358a2c5c652cd23b841e44550d1027
Author: Pauli <pauli at openssl.org>
Date:   Mon Apr 19 08:51:38 2021 +1000

    srp: fix double free,
    
    In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
    In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
    And *verify is freed via BN_clear_free() at line 743, and return 0.
    Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.
    
    Bug reported by @Yunlongs
    
    Fixes #14913
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14921)
    
    (cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed)

-----------------------------------------------------------------------

Summary of changes:
 crypto/srp/srp_vfy.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 3dd2ab0507..a846b37672 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -684,7 +684,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     BIGNUM *x = NULL;
     BN_CTX *bn_ctx = BN_CTX_new();
     unsigned char tmp2[MAX_LEN];
-    BIGNUM *salttmp = NULL;
+    BIGNUM *salttmp = NULL, *verif;
 
     if ((user == NULL) ||
         (pass == NULL) ||
@@ -707,17 +707,18 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     if (x == NULL)
         goto err;
 
-    *verifier = BN_new();
-    if (*verifier == NULL)
+    verif = BN_new();
+    if (verif == NULL)
         goto err;
 
-    if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) {
-        BN_clear_free(*verifier);
+    if (!BN_mod_exp(verif, g, x, N, bn_ctx)) {
+        BN_clear_free(verif);
         goto err;
     }
 
     result = 1;
     *salt = salttmp;
+    *verifier = verif;
 
  err:
     if (salt != NULL && *salt != salttmp)

More information about the openssl-commits mailing list