From 3b95b7506c29f5d0c05e35452e7a339f72bf3d25 Mon Sep 17 00:00:00 2001
From: tedu <tedu@openbsd.org>
Date: Wed, 23 Apr 2014 20:21:23 +0000
Subject: [PATCH] if realloc failed, BIO_accept would leak memory and return
 NULL, causing caller to crash. Fix leak and return an error instead. from
 Chad Loder

---
 lib/libcrypto/bio/b_sock.c         | 13 +++++++++++--
 lib/libssl/src/crypto/bio/b_sock.c | 13 +++++++++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/lib/libcrypto/bio/b_sock.c b/lib/libcrypto/bio/b_sock.c
index a6dd43f397b..a7791b39e2e 100644
--- a/lib/libcrypto/bio/b_sock.c
+++ b/lib/libcrypto/bio/b_sock.c
@@ -449,7 +449,7 @@ BIO_accept(int sock, char **addr)
 	int ret = -1;
 	unsigned long l;
 	unsigned short port;
-	char *p;
+	char *p, *tmp;
 
 	struct {
 		/*
@@ -534,11 +534,19 @@ BIO_accept(int sock, char **addr)
 		p = *addr;
 		if (p) {
 			*p = '\0';
-			p = realloc(p, nl);
+			if (!(tmp = realloc(p, nl))) {
+				ret = -1;
+				free(p);
+				*addr = NULL;
+				BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
+				goto end;
+			}
+			p = tmp;
 		} else {
 			p = malloc(nl);
 		}
 		if (p == NULL) {
+			ret = -1;
 			BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
@@ -553,6 +561,7 @@ BIO_accept(int sock, char **addr)
 	port = ntohs(sa.from.sa_in.sin_port);
 	if (*addr == NULL) {
 		if ((p = malloc(24)) == NULL) {
+			ret = -1;
 			BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
diff --git a/lib/libssl/src/crypto/bio/b_sock.c b/lib/libssl/src/crypto/bio/b_sock.c
index a6dd43f397b..a7791b39e2e 100644
--- a/lib/libssl/src/crypto/bio/b_sock.c
+++ b/lib/libssl/src/crypto/bio/b_sock.c
@@ -449,7 +449,7 @@ BIO_accept(int sock, char **addr)
 	int ret = -1;
 	unsigned long l;
 	unsigned short port;
-	char *p;
+	char *p, *tmp;
 
 	struct {
 		/*
@@ -534,11 +534,19 @@ BIO_accept(int sock, char **addr)
 		p = *addr;
 		if (p) {
 			*p = '\0';
-			p = realloc(p, nl);
+			if (!(tmp = realloc(p, nl))) {
+				ret = -1;
+				free(p);
+				*addr = NULL;
+				BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
+				goto end;
+			}
+			p = tmp;
 		} else {
 			p = malloc(nl);
 		}
 		if (p == NULL) {
+			ret = -1;
 			BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
@@ -553,6 +561,7 @@ BIO_accept(int sock, char **addr)
 	port = ntohs(sa.from.sa_in.sin_port);
 	if (*addr == NULL) {
 		if ((p = malloc(24)) == NULL) {
+			ret = -1;
 			BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
-- 
2.20.1