From 2ed6bebc8bb8b75d865927c3163bb968a12e1f47 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 13 Dec 2022 14:54:55 +0000
Subject: [PATCH] Avoid dangling ptrs in header and data params for
 PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.

Thanks to Dawei Wang for reporting this issue.

Based on a proposed patch by Kurt Roeckx.

CVE-2022-4450

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Signed-off-by: code4lala <fengziteng2@huawei.com>
Change-Id: Ic4a32fd3b5cbebfcc20bb93db250d44a60f00dd3
---
 crypto/pem/pem_lib.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index f9ff80162a..85c47fb627 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 
 out_free:
     pem_free(*header, flags, 0);
+    *header = NULL;
     pem_free(*data, flags, 0);
+    *data = NULL;
 end:
     EVP_ENCODE_CTX_free(ctx);
     pem_free(name, flags, 0);
-- 
GitLab