Fix segfault in RSA_free() (and DSA/DH/EC_KEY)

`RSA_free()` and friends are called in case of error from `RSA_new_method(ENGINE *e)` (or the respective equivalent functions). For the rest of the description I'll talk about `RSA_*`, but the same applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`. If `RSA_new_method()` fails because the engine does not implement the required method, when `RSA_free(RSA *r)` is called, `r->meth == NULL` and a segfault happens while checking if `r->meth->finish` is defined. This commit fixes this issue by ensuring that `r->meth` is not NULL before dereferencing it to check for `r->meth->finish`. Fixes #7102 . Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: N Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7121)

Fix segfault in RSA_free() (and DSA/DH/EC_KEY)
`RSA_free()` and friends are called in case of error from `RSA_new_method(ENGINE *e)` (or the respective equivalent functions). For the rest of the description I'll talk about `RSA_*`, but the same applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`. If `RSA_new_method()` fails because the engine does not implement the required method, when `RSA_free(RSA *r)` is called, `r->meth == NULL` and a segfault happens while checking if `r->meth->finish` is defined. This commit fixes this issue by ensuring that `r->meth` is not NULL before dereferencing it to check for `r->meth->finish`. Fixes #7102 . Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: N Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7121)
0c5d725e · Nicola Tuveri · 2167640b · 0c5d725e · 0c5d725e · 0c5d725e
Showing with 4 addition and 4 deletion

crypto/dh/dh_lib.c crypto/dh/dh_lib.c +1 -1

crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c +1 -1

crypto/ec/ec_key.c crypto/ec/ec_key.c +1 -1

crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c +1 -1

未找到文件。
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -104,7 +104,7 @@ void DH_free(DH *r)
        return;
    REF_ASSERT_ISNT(i < 0);

-    if (r->meth->finish)
+    if (r->meth != NULL && r->meth->finish != NULL)
        r->meth->finish(r);
 #ifndef OPENSSL_NO_ENGINE
    ENGINE_finish(r->engine);

--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -111,7 +111,7 @@ void DSA_free(DSA *r)
        return;
    REF_ASSERT_ISNT(i < 0);

-    if (r->meth->finish)
+    if (r->meth != NULL && r->meth->finish != NULL)
        r->meth->finish(r);
 #ifndef OPENSSL_NO_ENGINE
    ENGINE_finish(r->engine);

--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -51,7 +51,7 @@ void EC_KEY_free(EC_KEY *r)
        return;
    REF_ASSERT_ISNT(i < 0);

-    if (r->meth->finish != NULL)
+    if (r->meth != NULL && r->meth->finish != NULL)
        r->meth->finish(r);

 #ifndef OPENSSL_NO_ENGINE

--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -115,7 +115,7 @@ void RSA_free(RSA *r)
        return;
    REF_ASSERT_ISNT(i < 0);

-    if (r->meth->finish)
+    if (r->meth != NULL && r->meth->finish != NULL)
        r->meth->finish(r);
 #ifndef OPENSSL_NO_ENGINE
    ENGINE_finish(r->engine);