diff options
| author | Niels Dossche <7771979+nielsdos@users.noreply.github.com> | 2024-10-09 23:00:13 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-10-11 14:22:36 +0200 |
| commit | 792b2c8da283d4230caa761ea6f5d050cb5795e7 (patch) | |
| tree | 577cf3ede9ca0a2b9b097152ef82d2e8158a1d4e /crypto/srp | |
| parent | Use poll() in BIO_socket_wait() if available (diff) | |
| download | openssl-792b2c8da283d4230caa761ea6f5d050cb5795e7.tar.xz openssl-792b2c8da283d4230caa761ea6f5d050cb5795e7.zip | |
Fix potential double free through SRP_user_pwd_set1_ids()
If SRP_user_pwd_set1_ids() fails during one of the duplications, or id
is NULL, then the old pointer values are still stored but they are now dangling.
Later when SRP_user_pwd_free() is called these are freed again,
leading to a double free.
Although there are no such uses in OpenSSL as far as I found,
it's still a public API.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25655)
Diffstat (limited to 'crypto/srp')
| -rw-r--r-- | crypto/srp/srp_vfy.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 6e68d7a111..5f626d7055 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -214,6 +214,8 @@ int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id, { OPENSSL_free(vinfo->id); OPENSSL_free(vinfo->info); + vinfo->id = NULL; + vinfo->info = NULL; if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) return 0; return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); |