diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-02-18 12:47:23 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-02-19 14:03:07 +0000 |
commit | 6c88c71b4e4825c7bc0489306d062d017634eb88 (patch) | |
tree | 89c2e24b0b7702ae6fb507f640b25cdd1e01715b | |
parent | c575ceffdbc38a32f1229cf30d901403c9361334 (diff) |
Fix double free in DSA private key parsing.
Fix double free bug when parsing malformed DSA private keys.
Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.
CVE-2016-0705
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-rw-r--r-- | crypto/dsa/dsa_ameth.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index e385dd3a6f..cc83d6e6ad 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -191,6 +191,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) STACK_OF(ASN1_TYPE) *ndsa = NULL; DSA *dsa = NULL; + int ret = 0; + if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) return 0; X509_ALGOR_get0(NULL, &ptype, &pval, palg); @@ -262,23 +264,21 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) } EVP_PKEY_assign_DSA(pkey, dsa); - BN_CTX_free(ctx); - if (ndsa) - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - else - ASN1_STRING_clear_free(privkey); - return 1; + ret = 1; + goto done; decerr: DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_DECODE_ERROR); dsaerr: + DSA_free(dsa); + done: BN_CTX_free(ctx); - if (privkey) + if (ndsa) + sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); + else ASN1_STRING_clear_free(privkey); - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - DSA_free(dsa); - return 0; + return ret; } static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) |