On Friday 29 May 2015, Benjamin Baier wrote:
Hello tech@
buf.data is not initialized up front, which may lead to free(3)'ing a
garbage pointer. Found by llvm/scan-build.
Also free(3) handles NULL. No need to check.
At first glance this is not actually a real problem - free_cont is initialised
to zero, then only set to one after buf.data has been initialised. That said,
I'll take a closer look.
Index: tasn_dec.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/tasn_dec.c,v
retrieving revision 1.26
diff -u -p -r1.26 tasn_dec.c
--- tasn_dec.c19 Mar 2015 14:00:22 - 1.26
+++ tasn_dec.c27 May 2015 18:40:34 -
@@ -669,6 +669,8 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval,
const unsigned char *cont = NULL;
long len;
+ buf.data = NULL;
+
if (!pval) {
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
return 0; /* Should never happen */
@@ -783,7 +785,7 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval,
ret = 1;
err:
- if (free_cont buf.data)
+ if (free_cont)
free(buf.data);
return ret;
}
--
Action without study is fatal. Study without action is futile.
-- Mary Ritter Beard
