summaryrefslogtreecommitdiff
path: root/lib/libcrypto
diff options
context:
space:
mode:
authorMiod Vallat <miod@cvs.openbsd.org>2015-07-15 17:41:57 +0000
committerMiod Vallat <miod@cvs.openbsd.org>2015-07-15 17:41:57 +0000
commit0af6897f0c17228a0439eb129d38f68f137b01a0 (patch)
treedeadef5f09fdec3b817336bd4139a379e92492ea /lib/libcrypto
parent16b94b1d0270646845952e4424b5166404bc148d (diff)
Fix two theoretical NULL pointer dereferences which can only happen if you
have seriously corrupted your memory; Coverity CID 21708 and 21721. While there, plug a memory leak upon error in x509_name_canon(). ok bcook@ beck@
Diffstat (limited to 'lib/libcrypto')
-rw-r--r--lib/libcrypto/asn1/x_name.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c
index 51c5a0ae41e..569c6fe3460 100644
--- a/lib/libcrypto/asn1/x_name.c
+++ b/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.29 2015/02/14 15:29:29 miod Exp $ */
+/* $OpenBSD: x_name.c,v 1.30 2015/07/15 17:41:56 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -377,7 +377,8 @@ x509_name_encode(X509_NAME *a)
goto memerr;
set = entry->set;
}
- if (!sk_X509_NAME_ENTRY_push(entries, entry))
+ if (entries == NULL /* if entry->set is bogusly -1 */ ||
+ !sk_X509_NAME_ENTRY_push(entries, entry))
goto memerr;
}
len = ASN1_item_ex_i2d(&intname.a, NULL,
@@ -449,8 +450,11 @@ x509_name_canon(X509_NAME *a)
entries = sk_X509_NAME_ENTRY_new_null();
if (!entries)
goto err;
- if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries))
+ if (sk_STACK_OF_X509_NAME_ENTRY_push(intname,
+ entries) == 0) {
+ sk_X509_NAME_ENTRY_free(entries);
goto err;
+ }
set = entry->set;
}
tmpentry = X509_NAME_ENTRY_new();
@@ -461,7 +465,8 @@ x509_name_canon(X509_NAME *a)
goto err;
if (!asn1_string_canon(tmpentry->value, entry->value))
goto err;
- if (!sk_X509_NAME_ENTRY_push(entries, tmpentry))
+ if (entries == NULL /* if entry->set is bogusly -1 */ ||
+ !sk_X509_NAME_ENTRY_push(entries, tmpentry))
goto err;
tmpentry = NULL;
}