Commit 3d551b20 authored May 01, 2018 by Matt Caswell

Fix a mem leak in CMS



The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore
memory management passes to OpenSSL. If the same function is called again
then we should ensure that any previous value that was set is freed first
before we set it again.

Fixes #5052

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)

parent 4ffc1842

crypto/cms/cms_env.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -282,6 +282,7 @@ int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo ri, EVP_PKEY pkey)
		CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, CMS_R_NOT_KEY_TRANSPORT);
		return 0;
		}
		EVP_PKEY_free(ri->d.ktri->pkey);
		ri->d.ktri->pkey = pkey;
		return 1;
		}

crypto/cms/cms_smime.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo cms, EVP_PKEY pk, X509 *cert)
		* all.
		*/
		else if (!cert \|\| !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
		EVP_PKEY_up_ref(pk);
		CMS_RecipientInfo_set0_pkey(ri, pk);
		r = CMS_RecipientInfo_decrypt(cms, ri);
		CMS_RecipientInfo_set0_pkey(ri, NULL);