41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From c39b0146144293a88abd73115bcfbd9d27af3897 Mon Sep 17 00:00:00 2001
|
|
From: starlet-dx <15929766099@163.com>
|
|
Date: Wed, 22 Feb 2023 19:30:41 +0800
|
|
Subject: [PATCH 1/1] Avoid dangling ptrs in header and data params for PEM_read_bio_ex
|
|
|
|
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
|
allocated for the header and data buffers. However we were not clearing
|
|
the ptrs stored in *header and *data. Since, on success, the caller is
|
|
responsible for freeing these ptrs this can potentially lead to a double
|
|
free if the caller frees them even on failure.
|
|
|
|
Thanks to Dawei Wang for reporting this issue.
|
|
|
|
Based on a proposed patch by Kurt Roeckx.
|
|
|
|
CVE-2022-4450
|
|
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
---
|
|
deps/openssl/openssl/crypto/pem/pem_lib.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/deps/openssl/openssl/crypto/pem/pem_lib.c b/deps/openssl/openssl/crypto/pem/pem_lib.c
|
|
index 2de09359..173045be 100644
|
|
--- a/deps/openssl/openssl/crypto/pem/pem_lib.c
|
|
+++ b/deps/openssl/openssl/crypto/pem/pem_lib.c
|
|
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
|
*data = pem_malloc(len, flags);
|
|
if (*header == NULL || *data == NULL) {
|
|
pem_free(*header, flags, 0);
|
|
+ *header = NULL;
|
|
pem_free(*data, flags, 0);
|
|
+ *data = NULL;
|
|
goto end;
|
|
}
|
|
BIO_read(headerB, *header, headerlen);
|
|
--
|
|
2.30.0
|
|
|