Hello All, In reviewing source code in directory 'crypto/ocsp', file 'ocsp_ht.c', there is a minor flaw in the test logic which could allow a small memory leak to develop. The patch file below should address/correct this issue:
--- ocsp_ht.c.orig 2016-03-08 10:24:51.821632969 -0800 +++ ocsp_ht.c 2016-03-08 10:26:32.062373052 -0800 @@ -119,13 +119,18 @@ rctx->state = OHS_ERROR; rctx->max_resp_len = OCSP_MAX_RESP_LENGTH; rctx->mem = BIO_new(BIO_s_mem()); + if (rctx->mem == NULL) + OCSP_REQ_CTX_free(rctx); + return NULL; + } rctx->io = io; if (maxline > 0) rctx->iobuflen = maxline; else rctx->iobuflen = OCSP_MAX_LINE_LEN; rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); - if (rctx->iobuf == NULL || rctx->mem == NULL) { + if (rctx->iobuf == NULL) { + OCSP_REQ_CTX_free(rctx->mem); OCSP_REQ_CTX_free(rctx); return NULL; } ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4400 Please log in as guest with password guest if prompted
ocsp_ht.c.patch
Description: Binary data
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev