root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Fix memory leak on invalid CertificateRequest. 

Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
This commit is contained in:
David Benjamin 2016-03-14 15:03:07 -04:00 committed by Dr. Stephen Henson
parent d1094383df
commit 6afef8b1fb
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/statem/statem_clnt.c
View File

@ -1863,6 +1863,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
xn = NULL;
} }
/* we should setup a certificate to return.... */ /* we should setup a certificate to return.... */
@ -1877,6 +1878,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
err: err:
ossl_statem_set_error(s); ossl_statem_set_error(s);
done: done:
X509_NAME_free(xn);
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return ret; return ret;
} }