diff options
author | Miod Vallat <miod@cvs.openbsd.org> | 2015-07-15 17:41:57 +0000 |
---|---|---|
committer | Miod Vallat <miod@cvs.openbsd.org> | 2015-07-15 17:41:57 +0000 |
commit | 0af6897f0c17228a0439eb129d38f68f137b01a0 (patch) | |
tree | deadef5f09fdec3b817336bd4139a379e92492ea /lib/libcrypto | |
parent | 16b94b1d0270646845952e4424b5166404bc148d (diff) |
Fix two theoretical NULL pointer dereferences which can only happen if you
have seriously corrupted your memory; Coverity CID 21708 and 21721.
While there, plug a memory leak upon error in x509_name_canon().
ok bcook@ beck@
Diffstat (limited to 'lib/libcrypto')
-rw-r--r-- | lib/libcrypto/asn1/x_name.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c index 51c5a0ae41e..569c6fe3460 100644 --- a/lib/libcrypto/asn1/x_name.c +++ b/lib/libcrypto/asn1/x_name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_name.c,v 1.29 2015/02/14 15:29:29 miod Exp $ */ +/* $OpenBSD: x_name.c,v 1.30 2015/07/15 17:41:56 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -377,7 +377,8 @@ x509_name_encode(X509_NAME *a) goto memerr; set = entry->set; } - if (!sk_X509_NAME_ENTRY_push(entries, entry)) + if (entries == NULL /* if entry->set is bogusly -1 */ || + !sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr; } len = ASN1_item_ex_i2d(&intname.a, NULL, @@ -449,8 +450,11 @@ x509_name_canon(X509_NAME *a) entries = sk_X509_NAME_ENTRY_new_null(); if (!entries) goto err; - if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) + if (sk_STACK_OF_X509_NAME_ENTRY_push(intname, + entries) == 0) { + sk_X509_NAME_ENTRY_free(entries); goto err; + } set = entry->set; } tmpentry = X509_NAME_ENTRY_new(); @@ -461,7 +465,8 @@ x509_name_canon(X509_NAME *a) goto err; if (!asn1_string_canon(tmpentry->value, entry->value)) goto err; - if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) + if (entries == NULL /* if entry->set is bogusly -1 */ || + !sk_X509_NAME_ENTRY_push(entries, tmpentry)) goto err; tmpentry = NULL; } |