Fix dsa_pub_encode

The return value from ASN1_STRING_new() was not being checked which could lead to a NULL deref in the event of a malloc failure. Also fixed a mem leak in the error path. Reviewed-by: N Rich Salz <rsalz@openssl.org>

Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could lead to a NULL deref in the event of a malloc failure. Also fixed a mem leak in the error path. Reviewed-by: N Rich Salz <rsalz@openssl.org>
0c7ca403 · Matt Caswell · 6aa8dab2 · 0c7ca403
隐藏空白更改
内联并排

Showing with 8 addition and 6 deletion

crypto/dsa/dsa_ameth.c crypto/dsa/dsa_ameth.c +8 -6

未找到文件。
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -129,21 +129,23 @@ static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
 static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
    DSA *dsa;
-    void *pval = NULL;
    int ptype;
    unsigned char *penc = NULL;
    int penclen;
+    ASN1_STRING *str = NULL;
    dsa = pkey->pkey.dsa;
    if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
-        ASN1_STRING *str;
        str = ASN1_STRING_new();
+        if (!str) {
+            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
        str->length = i2d_DSAparams(dsa, &str->data);
        if (str->length <= 0) {
            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
            goto err;
        }
-        pval = str;
        ptype = V_ASN1_SEQUENCE;
    } else
        ptype = V_ASN1_UNDEF;
@@ -158,14 +160,14 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
    }
    if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA),
-                               ptype, pval, penc, penclen))
+                               ptype, str, penc, penclen))
        return 1;
 err:
    if (penc)
        OPENSSL_free(penc);
-    if (pval)
+    if (str)
-        ASN1_STRING_free(pval);
+        ASN1_STRING_free(str);
    return 0;
 }