[openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 22 07:24:52 UTC 2015
On Tue, Dec 22, 2015 at 06:53:54AM +0000, Viktor Dukhovni wrote:
> On Tue, Dec 22, 2015 at 04:33:45AM +0000, Srinivas Koripella via RT wrote:
>
> > There is a minor issue with X509_STORE_CTX_init and its usage. Most of
> > the callers of X509_STORE_CTX_init use a stack variable and pass its
> > address as the ctx argument to this function. However, X509_STORE_CTX_init
> > in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free
> > on this stack variable. This in theory should be ok as the underlying
> > free implementation should probably be a no-op as this address is from
> > the stack.
>
> Thanks for the report. The bug was introduced way back on 2001/09/01
> by commit 79aa04ef27f69a1149d4d0e72d2d2953b6241ef0 and is present
> in OpenSSL 0.9.8 through 1.0.2.
>
> In the "master" development branch the extraneous "free" is gone,
> but the code is still not quite right, because the memset removed
> in 2001 really does belong (early) in X509_STORE_CTX_init() and
> should have been removed from X509_STORE_CTX_cleanup() instead,
> where zeroing data that is invalidated by cleanup is of course.
>
> Try the (lightly tested) patch below my signature.
Note, that patch was for 1.0.2e. No idea how cleanly it applies
to other releases.
--
Viktor.
More information about the openssl-dev
mailing list