From 45b244620a74248b46ebe1c85e86437b9641447a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 30 Oct 2019 13:20:33 +0000 Subject: Don't leak memory in the event of a failure in i2v_GENERAL_NAMES i2v_GENERAL_NAMES call i2v_GENERAL_NAME repeatedly as required. Each time i2v_GENERAL_NAME gets called it allocates adds data to the passed in stack and then returns a pointer to the stack, or NULL on failure. If the passed in stack is itself NULL then it allocates one. i2v_GENERAL_NAMES was not correctly handling the case where a NULL gets returned from i2v_GENERAL_NAME. If a stack had already been allocated then it just leaked it. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/10300) --- crypto/x509/v3_alt.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/crypto/x509/v3_alt.c b/crypto/x509/v3_alt.c index 5d1ece71cb..1feb2d6735 100644 --- a/crypto/x509/v3_alt.c +++ b/crypto/x509/v3_alt.c @@ -52,11 +52,24 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, { int i; GENERAL_NAME *gen; + STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret; + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gen = sk_GENERAL_NAME_value(gens, i); - ret = i2v_GENERAL_NAME(method, gen, ret); + /* + * i2v_GENERAL_NAME allocates ret if it is NULL. If something goes + * wrong we need to free the stack - but only if it was empty when we + * originally entered this function. + */ + tmpret = i2v_GENERAL_NAME(method, gen, ret); + if (tmpret == NULL) { + if (origret == NULL) + sk_CONF_VALUE_pop_free(ret, X509V3_conf_free); + return NULL; + } + ret = tmpret; } - if (!ret) + if (ret == NULL) return sk_CONF_VALUE_new_null(); return ret; } -- cgit v1.2.3