On Friday 29 May 2015, Benjamin Baier wrote:
> Hello tech@
>
> buf.data is not initialized up front, which may lead to free(3)'ing a
> garbage pointer. Found by llvm/scan-build.
> Also free(3) handles NULL. No need to check.
At first glance this is not actually a real problem - free_cont is initialised
to zero, then only set to one after buf.data has been initialised. That said,
I'll take a closer look.
> Index: tasn_dec.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/asn1/tasn_dec.c,v
> retrieving revision 1.26
> diff -u -p -r1.26 tasn_dec.c
> --- tasn_dec.c 19 Mar 2015 14:00:22 -0000 1.26
> +++ tasn_dec.c 27 May 2015 18:40:34 -0000
> @@ -669,6 +669,8 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval,
> const unsigned char *cont = NULL;
> long len;
>
> + buf.data = NULL;
> +
> if (!pval) {
> ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
> return 0; /* Should never happen */
> @@ -783,7 +785,7 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval,
> ret = 1;
>
> err:
> - if (free_cont && buf.data)
> + if (free_cont)
> free(buf.data);
> return ret;
> }
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
