From ac9918c641b97517913b939d80211e7e6da8c903 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Sat, 1 May 2021 13:13:46 +0000 Subject: Prevent double free in int_TS_RESP_verify_token If TS_compute_imprint fails after md_alg was allocated, there will be a double free in its caller. Obvious fix is to null out the output parameter md_alg just like it's already done for imprint and imprint_len. From Pauli Dale, OpenSSL 1.1.1, a3dea76f742896b7d75a0c0529c0af1e628bd853 ok inoguchi jsing --- lib/libcrypto/ts/ts_rsp_verify.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/libcrypto/ts/ts_rsp_verify.c b/lib/libcrypto/ts/ts_rsp_verify.c index 36ead0671a9..27515adf682 100644 --- a/lib/libcrypto/ts/ts_rsp_verify.c +++ b/lib/libcrypto/ts/ts_rsp_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_verify.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_rsp_verify.c,v 1.19 2021/05/01 13:13:45 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -639,6 +639,7 @@ TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg, err: X509_ALGOR_free(*md_alg); + *md_alg = NULL; free(*imprint); *imprint = NULL; *imprint_len = 0; -- cgit v1.2.3