[openssl] OpenSSL_1_1_1-stable update

Dr. Paul Dale pauli at openssl.org
Tue Apr 20 23:21:06 UTC 2021

The branch OpenSSL_1_1_1-stable has been updated
       via  a3dea76f742896b7d75a0c0529c0af1e628bd853 (commit)
      from  7f424d16c5358a2c5c652cd23b841e44550d1027 (commit)

- Log -----------------------------------------------------------------
commit a3dea76f742896b7d75a0c0529c0af1e628bd853
Author: Pauli <pauli at openssl.org>
Date:   Mon Apr 19 08:55:37 2021 +1000

    ts: fix double free on error path.
    In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
    In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
    But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.
    After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
    In the err branch, md_alg will be freed in the second time at line 320.
    Bug reported by @Yunlongs
    Fixes #14914
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14921)
    (cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7)


Summary of changes:
 crypto/ts/ts_rsp_verify.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index c2e7abd67f..7302e0f8d1 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -612,6 +612,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
+    *md_alg = NULL;
     *imprint_len = 0;
     *imprint = 0;

More information about the openssl-commits mailing list