Fix a NULL ptr deref in error path in tls_process_cke_dhe()

Fixes #6574 Reviewed-by: N Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6593)

Fix a NULL ptr deref in error path in tls_process_cke_dhe()
Fixes #6574 Reviewed-by: N Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6593)
b6ff436f · Matt Caswell · 5281bb22 · b6ff436f
隐藏空白更改
内联并排

Showing with 3 addition and 4 deletion

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +3 -4

未找到文件。
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3129,14 +3129,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
                 SSL_R_BN_LIB);
        goto err;
    }
+
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);
-
-    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+    if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 ERR_R_INTERNAL_ERROR);
-        if (pub_key != NULL)
-            BN_free(pub_key);
+        BN_free(pub_key);
        goto err;
    }