Avoid dangling ptrs in header and data params for PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we allocated for the header and data buffers. However we were not clearing the ptrs stored in *header and *data. Since, on success, the caller is responsible for freeing these ptrs this can potentially lead to a double free if the caller frees them even on failure. Thanks to Dawei Wang for reporting this issue. Based on a proposed patch by Kurt Roeckx. CVE-2022-4450 Reviewed-by: N Paul Dale <pauli@openssl.org> Reviewed-by: N Hugo Landau <hlandau@openssl.org> Signed-off-by: N code4lala <fengziteng2@huawei.com> Change-Id: Ic4a32fd3b5cbebfcc20bb93db250d44a60f00dd3

Avoid dangling ptrs in header and data params for PEM_read_bio_ex
In the event of a failure in PEM_read_bio_ex() we free the buffers we allocated for the header and data buffers. However we were not clearing the ptrs stored in *header and *data. Since, on success, the caller is responsible for freeing these ptrs this can potentially lead to a double free if the caller frees them even on failure. Thanks to Dawei Wang for reporting this issue. Based on a proposed patch by Kurt Roeckx. CVE-2022-4450 Reviewed-by: N Paul Dale <pauli@openssl.org> Reviewed-by: N Hugo Landau <hlandau@openssl.org> Signed-off-by: N code4lala <fengziteng2@huawei.com> Change-Id: Ic4a32fd3b5cbebfcc20bb93db250d44a60f00dd3
2ed6bebc · Matt Caswell · code4lala · 6e45e628 · 2ed6bebc
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

crypto/pem/pem_lib.c crypto/pem/pem_lib.c +2 -0

未找到文件。
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,

 out_free:
    pem_free(*header, flags, 0);
+    *header = NULL;
    pem_free(*data, flags, 0);
+    *data = NULL;
 end:
    EVP_ENCODE_CTX_free(ctx);
    pem_free(name, flags, 0);