diff options
author | Pauli <pauli@openssl.org> | 2021-04-19 08:51:38 +1000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-04-21 09:20:18 +1000 |
commit | 7f424d16c5358a2c5c652cd23b841e44550d1027 (patch) | |
tree | f966177607bc1c8fb328cd79941f65979fbcae6d /crypto/srp | |
parent | 86a90dc749af91f8a7b8da6628c9ffca2bae3009 (diff) |
srp: fix double free,
In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.
Bug reported by @Yunlongs
Fixes #14913
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
(cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed)
Diffstat (limited to 'crypto/srp')
-rw-r--r-- | crypto/srp/srp_vfy.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 3dd2ab0507..a846b37672 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -684,7 +684,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM *x = NULL; BN_CTX *bn_ctx = BN_CTX_new(); unsigned char tmp2[MAX_LEN]; - BIGNUM *salttmp = NULL; + BIGNUM *salttmp = NULL, *verif; if ((user == NULL) || (pass == NULL) || @@ -707,17 +707,18 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, if (x == NULL) goto err; - *verifier = BN_new(); - if (*verifier == NULL) + verif = BN_new(); + if (verif == NULL) goto err; - if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) { - BN_clear_free(*verifier); + if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { + BN_clear_free(verif); goto err; } result = 1; *salt = salttmp; + *verifier = verif; err: if (salt != NULL && *salt != salttmp) |