diff options
| author | Doug Hogan <doug@cvs.openbsd.org> | 2015-02-07 04:37:36 +0000 |
|---|---|---|
| committer | Doug Hogan <doug@cvs.openbsd.org> | 2015-02-07 04:37:36 +0000 |
| commit | 1da958521263b5795f8977fe05ae3ac628d75090 (patch) | |
| tree | 9190e70454dd941bbd021542cb35faa661c96dfe /lib/libssl | |
| parent | 6d29a9704aba54def8826d638eaddfd891518358 (diff) | |
Only call free in CBB_init().
CBB_init_fixed() should not call free because it can lead to use after
free or double free bugs. The caller should be responsible for
creating and destroying the buffer.
From BoringSSL commit a84f06fc1eee6ea25ce040675fbad72c532afece
miod agrees with the reasoning
ok jsing@, beck@
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/bs_cbb.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/libssl/bs_cbb.c b/lib/libssl/bs_cbb.c index 94ca54f43b7..eed80916985 100644 --- a/lib/libssl/bs_cbb.c +++ b/lib/libssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.3 2015/02/06 22:22:33 doug Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.4 2015/02/07 04:37:35 doug Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -29,7 +29,6 @@ cbb_init(CBB *cbb, uint8_t *buf, size_t cap) base = malloc(sizeof(struct cbb_buffer_st)); if (base == NULL) { - free(buf); return 0; } @@ -53,7 +52,11 @@ CBB_init(CBB *cbb, size_t initial_capacity) if (initial_capacity > 0 && buf == NULL) return 0; - return cbb_init(cbb, buf, initial_capacity); + if (!cbb_init(cbb, buf, initial_capacity)) { + free(buf); + return 0; + } + return 1; } int |