From becdc13fd87052058c87dd0ee3894345617085b8 Mon Sep 17 00:00:00 2001 From: Pavel Kopyl Date: Sun, 10 Dec 2017 22:49:42 +0300 Subject: [PATCH] X509V3_EXT_add_nconf_sk, X509v3_add_ext: fix errors handling X509v3_add_ext: free 'sk' if the memory pointed to by it was malloc-ed inside this function. X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails. This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num(). Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/4896) --- crypto/x509/x509_v3.c | 2 +- crypto/x509v3/v3_conf.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index 4a03445a64..9a3517e02a 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -177,7 +177,7 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, err2: if (new_ex != NULL) X509_EXTENSION_free(new_ex); - if (sk != NULL) + if (x != NULL && *x == NULL && sk != NULL) sk_X509_EXTENSION_free(sk); return (NULL); } diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index c1b4c1a89f..c984aa0d38 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -340,8 +340,12 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, val = sk_CONF_VALUE_value(nval, i); if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value))) return 0; - if (sk) - X509v3_add_ext(sk, ext, -1); + if (sk != NULL) { + if (X509v3_add_ext(sk, ext, -1) == NULL) { + X509_EXTENSION_free(ext); + return 0; + } + } X509_EXTENSION_free(ext); } return 1; -- 2.40.0