diff options
author | Pauli <pauli@openssl.org> | 2021-04-19 08:55:37 +1000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-04-21 09:17:22 +1000 |
commit | db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7 (patch) | |
tree | f7a9f8b7498f39e0d2cfb4e8dc081d15e4ceb7d8 /crypto/ts | |
parent | b06450bcf763735a89b65ca3ec176600fe7fceed (diff) |
ts: fix double free on error path.
In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.
After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.
Bug reported by @Yunlongs
Fixes #14914
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
Diffstat (limited to 'crypto/ts')
-rw-r--r-- | crypto/ts/ts_rsp_verify.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 89428cdf54..f307e29fda 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -437,6 +437,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info, err: EVP_MD_CTX_free(md_ctx); X509_ALGOR_free(*md_alg); + *md_alg = NULL; OPENSSL_free(*imprint); *imprint_len = 0; *imprint = 0; |