From 9a4e7d863fa5a65b0efef96c1c4891864aac036f Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Mon, 13 Dec 2021 12:16:18 +1100
Subject: evp: address a use after free state when using HMAC and MD copy.

Fixes #17261

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17263)

(cherry picked from commit ad2fcee1632d3f21a37e8e108d4c0dcf9099686d)
---
 crypto/evp/digest.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'crypto/evp')

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index d3a28fa351..d92059cbcc 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -520,7 +520,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
         if (out->fetched_digest != NULL)
             EVP_MD_free(out->fetched_digest);
         *out = *in;
-        return 1;
+        goto clone_pkey;
     }
 
     if (in->digest->prov == NULL
@@ -551,6 +551,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
         }
     }
 
+ clone_pkey:
     /* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
     EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
 #ifndef FIPS_MODULE
-- 
cgit v1.2.3