Commit 6afef8b1 authored Mar 14, 2016 by David Benjamin Committed by Dr. Stephen Henson Apr 07, 2016

Fix memory leak on invalid CertificateRequest.



Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

parent d1094383

ssl/statem/statem_clnt.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1863,6 +1863,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL s, PACKET pkt)
		SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
		goto err;
		}
		xn = NULL;
		}

		/* we should setup a certificate to return.... */
		@@ -1877,6 +1878,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL s, PACKET pkt)
		err:
		ossl_statem_set_error(s);
		done:
		X509_NAME_free(xn);
		sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
		return ret;
		}