[openssl] OpenSSL_1_1_1-stable update
Dr. Paul Dale
pauli at openssl.org
Tue Apr 20 23:21:06 UTC 2021
The branch OpenSSL_1_1_1-stable has been updated
via a3dea76f742896b7d75a0c0529c0af1e628bd853 (commit)
from 7f424d16c5358a2c5c652cd23b841e44550d1027 (commit)
- Log -----------------------------------------------------------------
commit a3dea76f742896b7d75a0c0529c0af1e628bd853
Author: Pauli <pauli at openssl.org>
Date: Mon Apr 19 08:55:37 2021 +1000
ts: fix double free on error path.
In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.
After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.
Bug reported by @Yunlongs
Fixes #14914
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
(cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7)
-----------------------------------------------------------------------
Summary of changes:
crypto/ts/ts_rsp_verify.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index c2e7abd67f..7302e0f8d1 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -612,6 +612,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
err:
EVP_MD_CTX_free(md_ctx);
X509_ALGOR_free(*md_alg);
+ *md_alg = NULL;
OPENSSL_free(*imprint);
*imprint_len = 0;
*imprint = 0;
More information about the openssl-commits
mailing list