Commit a25e2d49 authored by Pavel Kopyl's avatar Pavel Kopyl Committed by Matt Caswell
Browse files

do_body: fix heap-use-after-free. 



The memory pointed to by the 'push' is freed by the
X509_NAME_ENTRY_free() in do_body(). The second time
it is referenced to (indirectly) in certify_cert:X509_REQ_free().

Reviewed-by: default avatarBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4896)
parent becdc13f

apps/ca.c

+0 −2
Original line number Diff line number Diff line
@@ -1825,8 +1825,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 


            if (push != NULL) {

                if (!X509_NAME_add_entry(subject, push, -1, 0)) {

                    if (push != NULL)

                        X509_NAME_ENTRY_free(push);

                    BIO_printf(bio_err, "Memory allocation failure\n");

                    goto err;

                }