[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Thu Jun 10 08:27:55 UTC 2021
The branch master has been updated
via de5a0198b22c36884fd36021d9e4f589b939674f (commit)
from 5a9dbfc58ab280ec426ed013f5aed5a5660b938a (commit)
- Log -----------------------------------------------------------------
commit de5a0198b22c36884fd36021d9e4f589b939674f
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon Jun 7 16:56:20 2021 +0200
Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()
Fixes #15647
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15648)
-----------------------------------------------------------------------
Summary of changes:
crypto/http/http_client.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index e7e0183b59..79fe9ccd41 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -126,7 +126,8 @@ void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx)
if (rctx->free_wbio)
BIO_free_all(rctx->wbio);
/* do not free rctx->rbio */
- BIO_free(rctx->mem); /* this may indirectly call ERR_clear_error() */
+ BIO_free(rctx->mem);
+ BIO_free(rctx->req);
OPENSSL_free(rctx->buf);
OPENSSL_free(rctx->proxy);
OPENSSL_free(rctx->server);
@@ -260,8 +261,8 @@ int OSSL_HTTP_REQ_CTX_set_expected(OSSL_HTTP_REQ_CTX *rctx,
return 1;
}
-static int set_content(OSSL_HTTP_REQ_CTX *rctx,
- const char *content_type, BIO *req)
+static int set1_content(OSSL_HTTP_REQ_CTX *rctx,
+ const char *content_type, BIO *req)
{
long req_len;
@@ -285,10 +286,16 @@ static int set_content(OSSL_HTTP_REQ_CTX *rctx,
&& BIO_printf(rctx->mem, "Content-Type: %s\r\n", content_type) <= 0)
return 0;
- rctx->req = req;
- if ((req_len = BIO_ctrl(req, BIO_CTRL_INFO, 0, NULL)) <= 0)
- return 1; /* streaming BIO may not support querying size */
- return BIO_printf(rctx->mem, "Content-Length: %ld\r\n", req_len) > 0;
+ /* streaming BIO may not support querying size */
+ if ((req_len = BIO_ctrl(req, BIO_CTRL_INFO, 0, NULL)) <= 0
+ || BIO_printf(rctx->mem, "Content-Length: %ld\r\n", req_len) > 0) {
+ if (!BIO_up_ref(req))
+ return 0;
+ BIO_free(rctx->req);
+ rctx->req = req;
+ return 1;
+ }
+ return 0;
}
int OSSL_HTTP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const char *content_type,
@@ -303,7 +310,7 @@ int OSSL_HTTP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const char *content_type
}
res = (mem = ASN1_item_i2d_mem_bio(it, req)) != NULL
- && set_content(rctx, content_type, mem);
+ && set1_content(rctx, content_type, mem);
BIO_free(mem);
return res;
}
@@ -965,7 +972,7 @@ int OSSL_HTTP_set_request(OSSL_HTTP_REQ_CTX *rctx, const char *path,
&& add1_headers(rctx, headers, rctx->server)
&& OSSL_HTTP_REQ_CTX_set_expected(rctx, expected_content_type,
expect_asn1, timeout, keep_alive)
- && set_content(rctx, content_type, req);
+ && set1_content(rctx, content_type, req);
}
/*-
More information about the openssl-commits
mailing list