The branch master has been updated
via bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea (commit)
from 5d8ffebbcdf4992d3c428201b1f3330020bbe92e (commit)
- Log -----------------------------------------------------------------
commit bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea
Author: zekeevans-mf <77804765+zekeevans...@users.noreply.github.com>
Date: Thu Jan 21 12:24:51 2021 -0700
Add deep copy of propq field in mac_dupctx to avoid double free
mac_dupctx() should make a copy of the propq field. Currently it
does a shallow copy which can result in a double free and crash.
The double free occurs when using a provider property string.
For example, passing in "fips=no" to SSL_CTX_new_ex() causes the
propq field to get set to that value. When mac_dupctx() and
mac_freectx() is called (ie: in SSL_write()) it ends up freeing
the reference of the original object instead of a copy.
Reviewed-by: Paul Dale <pa...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13926)
-----------------------------------------------------------------------
Summary of changes:
providers/implementations/signature/mac_legacy.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/providers/implementations/signature/mac_legacy.c
b/providers/implementations/signature/mac_legacy.c
index 7d23e36f2b..2386583069 100644
--- a/providers/implementations/signature/mac_legacy.c
+++ b/providers/implementations/signature/mac_legacy.c
@@ -172,9 +172,13 @@ static void *mac_dupctx(void *vpmacctx)
return NULL;
*dstctx = *srcctx;
+ dstctx->propq = NULL;
dstctx->key = NULL;
dstctx->macctx = NULL;
+ if (srcctx->propq != NULL && (dstctx->propq =
OPENSSL_strdup(srcctx->propq)) == NULL)
+ goto err;
+
if (srcctx->key != NULL && !ossl_mac_key_up_ref(srcctx->key))
goto err;
dstctx->key = srcctx->key;
