Commit 6aa8dab2 authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix dh_pub_encode 



The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 34a7ed0c

crypto/dh/dh_ameth.c

+7 −5
Original line number Diff line number Diff line
@@ -151,7 +151,6 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 
static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)

{

    DH *dh;

    void *pval = NULL;

    int ptype;

    unsigned char *penc = NULL;

    int penclen;
@@ -161,12 +160,15 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 
    dh = pkey->pkey.dh;



    str = ASN1_STRING_new();

    if(!str) {

        DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);

        goto err;

    }

    str->length = i2d_dhp(pkey, dh, &str->data);

    if (str->length <= 0) {

        DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);

        goto err;

    }

    pval = str;

    ptype = V_ASN1_SEQUENCE;



    pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL);
@@ -183,14 +185,14 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 
    }



    if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),

                               ptype, pval, penc, penclen))

                               ptype, str, penc, penclen))

        return 1;



 err:

    if (penc)

        OPENSSL_free(penc);

    if (pval)

        ASN1_STRING_free(pval);

    if (str)

        ASN1_STRING_free(str);



    return 0;

}