From a25f52752d2d86a204d2b0f6d4346d6ee88bd76c Mon Sep 17 00:00:00 2001 From: tedu Date: Fri, 18 Apr 2014 15:03:20 +0000 Subject: [PATCH] Some dude named Tavis Ormandy reported a bug which has gone unfixed. http://marc.info/?l=openssl-users&m=138014120223264&w=2 Arguably a doc bug, but we argue not. If you parse a new cert into memory occupied by a previously verified cert, the new cert will inherit that state, bypassing future verification checks. To avoid this, we will always start fresh with a new object. grudging ok from guenther, after i threatened to make him read the code yet again. "that ok was way more painful and tiring then it should have been" --- lib/libcrypto/asn1/tasn_dec.c | 5 +++++ lib/libssl/src/crypto/asn1/tasn_dec.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/lib/libcrypto/asn1/tasn_dec.c b/lib/libcrypto/asn1/tasn_dec.c index f19c4571696..1ce40039b1b 100644 --- a/lib/libcrypto/asn1/tasn_dec.c +++ b/lib/libcrypto/asn1/tasn_dec.c @@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, if (!pval) return 0; + /* always start fresh */ + if (*pval) { + ASN1_item_ex_free(pval, it); + *pval = NULL; + } if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb; else diff --git a/lib/libssl/src/crypto/asn1/tasn_dec.c b/lib/libssl/src/crypto/asn1/tasn_dec.c index f19c4571696..1ce40039b1b 100644 --- a/lib/libssl/src/crypto/asn1/tasn_dec.c +++ b/lib/libssl/src/crypto/asn1/tasn_dec.c @@ -171,6 +171,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, if (!pval) return 0; + /* always start fresh */ + if (*pval) { + ASN1_item_ex_free(pval, it); + *pval = NULL; + } if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb; else -- 2.20.1