Avoid dangling ptrs in header and data params for PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we allocated for the header and data buffers. However we were not clearing the ptrs stored in *header and *data. Since, on success, the caller is responsible for freeing these ptrs this can potentially lead to a double free if the caller frees them even on failure. Thanks to Dawei Wang for reporting this issue. Based on a proposed patch by Kurt Roeckx. CVE-2022-4450 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
author: Matt Caswell <matt@openssl.org> 2022-12-13 14:54:55 +0000
committer: Tomas Mraz <tomas@openssl.org> 2023-02-03 12:38:44 +0100
commit: 63bcf189be73a9cc1264059bed6f57974be74a83 (patch)
tree: 40a6c798932600b6f3c71daecf3f5aed71daa309 /crypto
parent: 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index f9ff80162a..85c47fb627 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 
 out_free:
     pem_free(*header, flags, 0);
+    *header = NULL;
     pem_free(*data, flags, 0);
+    *data = NULL;
 end:
     EVP_ENCODE_CTX_free(ctx);
     pem_free(name, flags, 0);
author	Matt Caswell <matt@openssl.org>	2022-12-13 14:54:55 +0000
committer	Tomas Mraz <tomas@openssl.org>	2023-02-03 12:38:44 +0100
commit	63bcf189be73a9cc1264059bed6f57974be74a83 (patch)
tree	40a6c798932600b6f3c71daecf3f5aed71daa309 /crypto
parent	8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d (diff)