From 368f6dfa92efa3adb6e9e4f4d60b3703220c4045 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 17 Apr 2024 13:50:01 +0000 Subject: [PATCH] Transfer ownership before setting unused bits This looks like a use after free, but setting the unused bits to 0 can't actually fail. ok jsing --- lib/libcrypto/ec/ec_ameth.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/ec/ec_ameth.c b/lib/libcrypto/ec/ec_ameth.c index 9bcda79b3e2..1c2b6be87ca 100644 --- a/lib/libcrypto/ec/ec_ameth.c +++ b/lib/libcrypto/ec/ec_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_ameth.c,v 1.55 2024/04/17 13:49:18 tb Exp $ */ +/* $OpenBSD: ec_ameth.c,v 1.56 2024/04/17 13:50:01 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -951,10 +951,12 @@ ecdh_cms_encrypt(CMS_RecipientInfo *ri) penclen = i2o_ECPublicKey(eckey, &p); if (penclen <= 0) goto err; + ASN1_STRING_set0(pubkey, penc, penclen); + penc = NULL; + if (!asn1_abs_set_unused_bits(pubkey, 0)) goto err; - penc = NULL; X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), V_ASN1_UNDEF, NULL); -- 2.20.1