The branch OpenSSL_1_0_2-stable has been updated
via ec66c8c98881186abbb4a7ddd6617970f1ee27a7 (commit)
from af2db04c9979554ada88d969da6332a827a47599 (commit)
- Log -----------------------------------------------------------------
commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7
Author: David Benjamin <[email protected]>
Date: Mon Mar 14 15:03:07 2016 -0400
Fix memory leak on invalid CertificateRequest.
Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.
The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.
This was found by libFuzzer.
Reviewed-by: Emilia Käsper <[email protected]>
Reviewed-by: Stephen Henson <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_clnt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 04cc9f5..19dc864 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2199,6 +2199,7 @@ int ssl3_get_certificate_request(SSL *s)
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err;
}
+ xn = NULL;
p += l;
nc += l + 2;
@@ -2222,6 +2223,7 @@ int ssl3_get_certificate_request(SSL *s)
err:
s->state = SSL_ST_ERR;
done:
+ X509_NAME_free(xn);
if (ca_sk != NULL)
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return (ret);
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
