From 3bbd1d63e2d77e4e36e869640086f74714b3a4ee Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 12 Nov 2015 15:54:30 +0000
Subject: [PATCH] Fix a NULL deref in an error path

The SRP_create_verifier_BN function goes to the |err| label if the |salt|
value passed to it is NULL. It is then deref'd.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 crypto/srp/srp_vfy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index e81ae01779..b271c9904c 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -644,7 +644,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     *salt = salttmp;
 
  err:
-    if (*salt != salttmp)
+    if (salt != NULL && *salt != salttmp)
         BN_clear_free(salttmp);
     BN_clear_free(x);
     BN_CTX_free(bn_ctx);
-- 
GitLab