ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when

checking the server certificate constraints (SSL_X509_getBC()).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1666297 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index c5f00060c8c59b35056baf77921af39a2b64fb5c..3290d62bbbc5afd18275e96aa62c12047fabb055 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.5.0
      to a local URL-path with the INCLUDES filter active, introduced
      in 2.4.11. PR 57531. [Yann Ylavic]
 
+  *) mod_ssl: Fix possible crash when loading server certificate constraints.
+     PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
   *) core, modules: Avoid error response/document handling by the core if some
      handler or input filter already did it while reading the request (causing
      a double response body).  [Yann Ylavic]

diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
index 8a41fff7f58e3fec312290765cd89df83b1dabf8..a1fca36202c2cf944a05e59e2077280bc62fffdb 100644 (file)
--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -173,12 +173,17 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
     *ca = bc->ca;
     *pathlen = -1 /* unlimited */;
     if (bc->pathlen != NULL) {
-        if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
+        if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL) {
+            BASIC_CONSTRAINTS_free(bc);
             return FALSE;
-        if ((cp = BN_bn2dec(bn)) == NULL)
+        }
+        if ((cp = BN_bn2dec(bn)) == NULL) {
+            BN_free(bn);
+            BASIC_CONSTRAINTS_free(bc);
             return FALSE;
+        }
         *pathlen = atoi(cp);
-        free(cp);
+        OPENSSL_free(cp);
         BN_free(bn);
     }
     BASIC_CONSTRAINTS_free(bc);