Commit 0c7ca403 authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix dsa_pub_encode 



The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 6aa8dab2

crypto/dsa/dsa_ameth.c

+8 −6
Original line number Diff line number Diff line
@@ -129,21 +129,23 @@ static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 
static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)

{

    DSA *dsa;

    void *pval = NULL;

    int ptype;

    unsigned char *penc = NULL;

    int penclen;

    ASN1_STRING *str = NULL;



    dsa = pkey->pkey.dsa;

    if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {

        ASN1_STRING *str;

        str = ASN1_STRING_new();

        if (!str) {

            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);

            goto err;

        }

        str->length = i2d_DSAparams(dsa, &str->data);

        if (str->length <= 0) {

            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);

            goto err;

        }

        pval = str;

        ptype = V_ASN1_SEQUENCE;

    } else

        ptype = V_ASN1_UNDEF;
@@ -158,14 +160,14 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 
    }



    if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA),

                               ptype, pval, penc, penclen))

                               ptype, str, penc, penclen))

        return 1;



 err:

    if (penc)

        OPENSSL_free(penc);

    if (pval)

        ASN1_STRING_free(pval);

    if (str)

        ASN1_STRING_free(str);



    return 0;

}