32 lines
1.2 KiB
Diff
32 lines
1.2 KiB
Diff
commit 2fc14c59ca0eb275dfb9308e9d1d89a1dcbc2a24
|
|
Author: Matt Caswell <matt@openssl.org>
|
|
Date: Tue Dec 13 14:54:55 2022 +0000
|
|
|
|
Avoid dangling ptrs in header and data params for PEM_read_bio_ex
|
|
|
|
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
|
allocated for the header and data buffers. However we were not clearing
|
|
the ptrs stored in *header and *data. Since, on success, the caller is
|
|
responsible for freeing these ptrs this can potentially lead to a double
|
|
free if the caller frees them even on failure.
|
|
|
|
Thanks to Dawei Wang for reporting this issue.
|
|
|
|
Based on a proposed patch by Kurt Roeckx.
|
|
|
|
CVE-2022-4450
|
|
|
|
Index: openssl-1.1.1l/crypto/pem/pem_lib.c
|
|
===================================================================
|
|
--- openssl-1.1.1l.orig/crypto/pem/pem_lib.c
|
|
+++ openssl-1.1.1l/crypto/pem/pem_lib.c
|
|
@@ -954,7 +954,9 @@ int PEM_read_bio_ex(BIO *bp, char **name
|
|
*data = pem_malloc(len, flags);
|
|
if (*header == NULL || *data == NULL) {
|
|
pem_free(*header, flags, 0);
|
|
+ *header = NULL;
|
|
pem_free(*data, flags, 0);
|
|
+ *data = NULL;
|
|
goto end;
|
|
}
|
|
BIO_read(headerB, *header, headerlen);
|