diff options
| author | Clemens Lang <cllang@redhat.com> | 2023-05-24 13:12:54 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-05-29 14:57:47 +0200 |
| commit | 3cc6933555a0c66328ec659b5bb86c57b6402e1e (patch) | |
| tree | 65b569d16e8bd6565ae1c6b749c6f084fd0b6d00 | |
| parent | b1cc84e82d41ab669bf804ea519f5332c48a3d77 (diff) | |
x509: Handle ossl_policy_level_add_node errors
The invocation of ossl_policy_level_add_node in tree_calculate_user_set
did not have any error handling. Add it to prevent a memory leak for the
allocated extra policy data.
Also add error handling to sk_X509_POLICY_NODE_push to ensure that if
a new node was allocated, but could not be added to the stack, it is
freed correctly.
Fix error handling if tree->user_policies cannot be allocated by
returning 0, indicating failure, rather than 1.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21066)
| -rw-r--r-- | crypto/x509v3/pcy_tree.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 6c7fd35405..3c504e82c6 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -25,6 +25,8 @@ # define OPENSSL_POLICY_TREE_NODES_MAX 1000 #endif +static void exnode_free(X509_POLICY_NODE *node); + /* * Enable this to print out the complete policy tree at various point during * evaluation. @@ -572,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, extra->qualifier_set = anyPolicy->data->qualifier_set; extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE; - node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); + node = level_add_node(NULL, extra, anyPolicy->parent, + tree, 1); + if (node == NULL) { + policy_data_free(extra); + return 0; + } } if (!tree->user_policies) { tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; + if (!tree->user_policies) { + exnode_free(node); + return 0; + } } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) + if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) { + exnode_free(node); return 0; + } } return 1; } |