diff options
| author | David Benjamin <davidben@google.com> | 2016-03-14 15:03:07 -0400 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2016-04-07 19:22:20 +0100 |
| commit | 6afef8b1fb679df7d6a8606d713192c9907b1890 (patch) | |
| tree | e2113ce4f8371a8491c69ecce082509a4b71388a /ssl | |
| parent | d1094383df07cc8ae266c04cf3ace782447b4d5b (diff) | |
Fix memory leak on invalid CertificateRequest.
Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.
The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.
This was found by libFuzzer.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/statem/statem_clnt.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 73f54bcb96..4806e6782b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1863,6 +1863,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); goto err; } + xn = NULL; } /* we should setup a certificate to return.... */ @@ -1877,6 +1878,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) err: ossl_statem_set_error(s); done: + X509_NAME_free(xn); sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return ret; } |