From 5dcd1870e1bf596d26a5c4415f176953dd06e765 Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@cvs.openbsd.org>
Date: Wed, 23 Apr 2014 20:21:24 +0000
Subject: if realloc failed, BIO_accept would leak memory and return NULL,
 causing caller to crash. Fix leak and return an error instead. from Chad
 Loder

---
 lib/libcrypto/bio/b_sock.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/libcrypto/bio/b_sock.c b/lib/libcrypto/bio/b_sock.c
index a6dd43f397b..a7791b39e2e 100644
--- a/lib/libcrypto/bio/b_sock.c
+++ b/lib/libcrypto/bio/b_sock.c
@@ -449,7 +449,7 @@ BIO_accept(int sock, char **addr)
 	int ret = -1;
 	unsigned long l;
 	unsigned short port;
-	char *p;
+	char *p, *tmp;
 
 	struct {
 		/*
@@ -534,11 +534,19 @@ BIO_accept(int sock, char **addr)
 		p = *addr;
 		if (p) {
 			*p = '\0';
-			p = realloc(p, nl);
+			if (!(tmp = realloc(p, nl))) {
+				ret = -1;
+				free(p);
+				*addr = NULL;
+				BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
+				goto end;
+			}
+			p = tmp;
 		} else {
 			p = malloc(nl);
 		}
 		if (p == NULL) {
+			ret = -1;
 			BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
@@ -553,6 +561,7 @@ BIO_accept(int sock, char **addr)
 	port = ntohs(sa.from.sa_in.sin_port);
 	if (*addr == NULL) {
 		if ((p = malloc(24)) == NULL) {
+			ret = -1;
 			BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
-- 
cgit v1.2.3