Line 0
Link Here
|
|
|
1 |
# Backport of CVE-2015-0209 vuln mitigation |
2 |
# Fix a failure to NULL a pointer freed on error. |
3 |
# |
4 |
# Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org> |
5 |
# CVE-2015-0209 |
6 |
|
7 |
--- crypto/ec/ec_asn1.c.orig 2015-02-10 14:54:46 UTC |
8 |
+++ crypto/ec/ec_asn1.c |
9 |
@@ -1043,13 +1043,8 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi |
10 |
EC_KEY *ret = NULL; |
11 |
EC_PRIVATEKEY *priv_key = NULL; |
12 |
|
13 |
- if ((priv_key = EC_PRIVATEKEY_new()) == NULL) { |
14 |
- ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE); |
15 |
- return NULL; |
16 |
- } |
17 |
- if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL) { |
18 |
+ if ((priv_key = d2i_EC_PRIVATEKEY(NULL, in, len)) == NULL) { |
19 |
ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB); |
20 |
- EC_PRIVATEKEY_free(priv_key); |
21 |
return NULL; |
22 |
} |
23 |
if (a == NULL || *a == NULL) { |
24 |
@@ -1109,10 +1104,12 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi |
25 |
goto err; |
26 |
} |
27 |
} |
28 |
+ if (a) |
29 |
+ *a = ret; |
30 |
ok = 1; |
31 |
err: |
32 |
if (!ok) { |
33 |
- if (ret) |
34 |
+ if (ret) && (a == NULL || *a != ret)) |
35 |
EC_KEY_free(ret); |
36 |
ret = NULL; |
37 |
} |