diff options
| author | Matt Caswell <matt@openssl.org> | 2022-12-13 14:54:55 +0000 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-02-07 17:02:46 +0100 |
| commit | 7e1d8445b57203211413259eeb53bb4a9400021a (patch) | |
| tree | d32a6b21e3f879dc633ac0f8cc31068854c55e35 | |
| parent | 8022a4799fe884b3bf8d538e2b4c4ec323663118 (diff) | |
Avoid dangling ptrs in header and data params for PEM_read_bio_ex
In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.
Thanks to Dawei Wang for reporting this issue.
Based on a proposed patch by Kurt Roeckx.
CVE-2022-4450
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
| -rw-r--r-- | crypto/pem/pem_lib.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index f9ff80162a..85c47fb627 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, out_free: pem_free(*header, flags, 0); + *header = NULL; pem_free(*data, flags, 0); + *data = NULL; end: EVP_ENCODE_CTX_free(ctx); pem_free(name, flags, 0); |