From 12b0d2cbf6d2589372ffa66c3bf3055bf3f30f2f Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 1 May 2021 13:16:30 +0000 Subject: [PATCH] Plug leak in c2i_ASN1_OBJECT When using the object reuse facility of c2i_ASN1_OBJECT, the dynamically allocated strings a may contain are set to NULL, so we must free them beforehand. Also clear the flag, because that's what OpenSSL chose to do. From Richard Levitte OpenSSL 1.1.1 65b88a75921533ada8b465bc8d5c0817ad927947 ok inoguchi --- lib/libcrypto/asn1/a_object.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/libcrypto/asn1/a_object.c b/lib/libcrypto/asn1/a_object.c index 16c3a1c0fdb..8600f80474e 100644 --- a/lib/libcrypto/asn1/a_object.c +++ b/lib/libcrypto/asn1/a_object.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */ +/* $OpenBSD: a_object.c,v 1.32 2021/05/01 13:16:30 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -304,8 +304,6 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) } } - /* only the ASN1_OBJECTs from the 'table' will have values - * for ->sn or ->ln */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) @@ -327,6 +325,13 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) memcpy(data, p, length); + /* If there are dynamic strings, free them here, and clear the flag. */ + if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) { + free((void *)ret->sn); + free((void *)ret->ln); + ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS; + } + /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length; -- 2.20.1