Commit 152abc55 authored by Bernd Edlinger's avatar Bernd Edlinger
Browse files

Fix a crash in reuse of d2i_X509_PUBKEY 



If the second PUBKEY is malformed there is use after free.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8135)
parent 47c55f88

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -9,6 +9,10 @@ 














 Changes between 1.1.0j and 1.1.0k [xx XXX xxxx]



























  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a













     re-used X509_PUBKEY object if the second PUBKEY is malformed.













     [Bernd Edlinger]



























  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().















     [Richard Levitte]















































crypto/x509/x_pubkey.c



+1
−0






























Original line number
Diff line number
Diff line








@@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,













        /* Attempt to decode public key and cache in pubkey structure. */















        X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;















        EVP_PKEY_free(pubkey->pkey);













        pubkey->pkey = NULL;















        /*















         * Opportunistically decode the key but remove any non fatal errors















         * from the queue. Subsequent explicit attempts to decode/use the key