Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions

We should not be freeing the caller's key in the event of error. Fixes #17196 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17209)
author: Matt Caswell <matt@openssl.org> 2021-12-06 11:13:02 +0000
committer: Matt Caswell <matt@openssl.org> 2021-12-07 12:16:50 +0000
commit: e819b5727312477f8c1f56bf928e611ad7e78315 (patch)
tree: 0a78495229bf9dc60c16fa2535be52575372ebc1 /ssl/s3_lib.c
parent: 119f8145c3bde29aae5d5b18c44d1663df975ef5 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 1a89bde851..874b36fad0 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3448,7 +3448,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
                 return 0;
             }
-            return SSL_set0_tmp_dh_pkey(s, pkdh);
+            if (!SSL_set0_tmp_dh_pkey(s, pkdh)) {
+                EVP_PKEY_free(pkdh);
+                return 0;
+            }
+            return 1;
         }
         break;
     case SSL_CTRL_SET_TMP_DH_CB:
@@ -3774,7 +3778,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
                 return 0;
             }
-            return SSL_CTX_set0_tmp_dh_pkey(ctx, pkdh);
+            if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkdh)) {
+                EVP_PKEY_free(pkdh);
+                return 0;
+            }
+            return 1;
         }
     case SSL_CTRL_SET_TMP_DH_CB:
         {
author	Matt Caswell <matt@openssl.org>	2021-12-06 11:13:02 +0000
committer	Matt Caswell <matt@openssl.org>	2021-12-07 12:16:50 +0000
commit	e819b5727312477f8c1f56bf928e611ad7e78315 (patch)
tree	0a78495229bf9dc60c16fa2535be52575372ebc1 /ssl/s3_lib.c
parent	119f8145c3bde29aae5d5b18c44d1663df975ef5 (diff)