[openssl-dev] [openssl.org #3774] Double free in dsa_priv_encode

[Martin Vejnár via RT]

Hi,

in version 1.0.2, in crypto/dsa/dsa/ameth.c, line 318 frees `prkey`, which may be freed again on line 332 if the call on line 320 fails.

318    ASN1_INTEGER_free(prkey);
319
320    if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0,
321                         V_ASN1_SEQUENCE, params, dp, dplen))
322        goto err;
323
324    return 1;
325
326 err:
327    if (dp != NULL)
328        OPENSSL_free(dp);
329    if (params != NULL)
330        ASN1_STRING_free(params);
331    if (prkey != NULL)
332        ASN1_INTEGER_free(prkey);
--
Martin