| From 515c728dbaa92211d2eafb0041ab9fcd258fdc41 Mon Sep 17 00:00:00 2001 |
| From: Bernd Edlinger <bernd.edlinger@hotmail.de> |
| Date: Mon, 9 Sep 2019 19:12:25 +0200 |
| Subject: [PATCH] Fix potential memory leaks with BN_to_ASN1_INTEGER |
| |
| Reviewed-by: Paul Dale <paul.dale@oracle.com> |
| Reviewed-by: Matt Caswell <matt@openssl.org> |
| (Merged from https://github.com/openssl/openssl/pull/9833) |
| |
| (cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09) |
| --- |
| crypto/ec/ec_asn1.c | 7 +++++-- |
| crypto/x509v3/v3_asid.c | 26 ++++++++++++++++++++------ |
| 2 files changed, 25 insertions(+), 8 deletions(-) |
| |
| diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c |
| index 1ce1181fc10..7cbf8de9813 100644 |
| --- a/crypto/ec/ec_asn1.c |
| +++ b/crypto/ec/ec_asn1.c |
| @@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, |
| unsigned char *buffer = NULL; |
| const EC_POINT *point = NULL; |
| point_conversion_form_t form; |
| + ASN1_INTEGER *orig; |
| |
| if (params == NULL) { |
| if ((ret = ECPARAMETERS_new()) == NULL) { |
| @@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, |
| ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB); |
| goto err; |
| } |
| - ret->order = BN_to_ASN1_INTEGER(tmp, ret->order); |
| + ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order); |
| if (ret->order == NULL) { |
| + ret->order = orig; |
| ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); |
| goto err; |
| } |
| @@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, |
| /* set the cofactor (optional) */ |
| tmp = EC_GROUP_get0_cofactor(group); |
| if (tmp != NULL) { |
| - ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); |
| + ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor); |
| if (ret->cofactor == NULL) { |
| + ret->cofactor = orig; |
| ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); |
| goto err; |
| } |
| diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c |
| index 089f2ae29f0..ef2d64826fb 100644 |
| --- a/crypto/x509v3/v3_asid.c |
| +++ b/crypto/x509v3/v3_asid.c |
| @@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor, |
| static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) |
| { |
| ASN1_INTEGER *a_max_plus_one = NULL; |
| + ASN1_INTEGER *orig; |
| BIGNUM *bn = NULL; |
| int i, ret = 0; |
| |
| @@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) |
| */ |
| if ((bn == NULL && (bn = BN_new()) == NULL) || |
| ASN1_INTEGER_to_BN(a_max, bn) == NULL || |
| - !BN_add_word(bn, 1) || |
| - (a_max_plus_one = |
| - BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { |
| + !BN_add_word(bn, 1)) { |
| + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, |
| + ERR_R_MALLOC_FAILURE); |
| + goto done; |
| + } |
| + |
| + if ((a_max_plus_one = |
| + BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { |
| + a_max_plus_one = orig; |
| X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, |
| ERR_R_MALLOC_FAILURE); |
| goto done; |
| @@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid) |
| static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) |
| { |
| ASN1_INTEGER *a_max_plus_one = NULL; |
| + ASN1_INTEGER *orig; |
| BIGNUM *bn = NULL; |
| int i, ret = 0; |
| |
| @@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) |
| */ |
| if ((bn == NULL && (bn = BN_new()) == NULL) || |
| ASN1_INTEGER_to_BN(a_max, bn) == NULL || |
| - !BN_add_word(bn, 1) || |
| - (a_max_plus_one = |
| - BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { |
| + !BN_add_word(bn, 1)) { |
| + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, |
| + ERR_R_MALLOC_FAILURE); |
| + goto done; |
| + } |
| + |
| + if ((a_max_plus_one = |
| + BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { |
| + a_max_plus_one = orig; |
| X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, |
| ERR_R_MALLOC_FAILURE); |
| goto done; |