Fix bug where freed OIDs could be accessed in EVP_cleanup() by

defering freeing in OBJ_cleanup().

1 files changed, 11 insertions, 0 deletions

diff --git a/crypto/evp/names.c b/crypto/evp/names.c
index 88c1e780dd..348df71cba 100644
--- a/crypto/evp/names.c
+++ b/crypto/evp/names.c
@@ -62,12 +62,16 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+extern int obj_cleanup_defer;
+extern void check_defer(int nid);
+
 int EVP_add_cipher(const EVP_CIPHER *c)
 	{
 	int r;
 
 	r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
 	if (r == 0) return(0);
+	check_defer(c->nid);
 	r=OBJ_NAME_add(OBJ_nid2ln(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
 	return(r);
 	}
@@ -80,6 +84,7 @@ int EVP_add_digest(const EVP_MD *md)
 	name=OBJ_nid2sn(md->type);
 	r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);
 	if (r == 0) return(0);
+	check_defer(md->type);
 	r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(const char *)md);
 	if (r == 0) return(0);
 
@@ -88,6 +93,7 @@ int EVP_add_digest(const EVP_MD *md)
 		r=OBJ_NAME_add(OBJ_nid2sn(md->pkey_type),
 			OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
 		if (r == 0) return(0);
+		check_defer(md->pkey_type);
 		r=OBJ_NAME_add(OBJ_nid2ln(md->pkey_type),
 			OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
 		}
@@ -120,4 +126,9 @@ void EVP_cleanup(void)
 	OBJ_NAME_cleanup(-1);
 
 	EVP_PBE_cleanup();
+	if (obj_cleanup_defer == 2)
+		{
+		obj_cleanup_defer = 0;
+		OBJ_cleanup();
+		}
 	}