Commit becdc13f authored Dec 10, 2017 by Pavel Kopyl Committed by Matt Caswell Feb 21, 2018

X509V3_EXT_add_nconf_sk, X509v3_add_ext: fix errors handling



X509v3_add_ext: free 'sk' if the memory pointed to by it
was malloc-ed inside this function.
X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails.
This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num().

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4896)

parent cb750375

crypto/x509/x509_v3.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -177,7 +177,7 @@ STACK_OF(X509_EXTENSION) X509v3_add_ext(STACK_OF(X509_EXTENSION) *x,
		err2:
		if (new_ex != NULL)
		X509_EXTENSION_free(new_ex);
		if (sk != NULL)
		if (x != NULL && *x == NULL && sk != NULL)
		sk_X509_EXTENSION_free(sk);
		return (NULL);
		}

crypto/x509v3/v3_conf.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -340,8 +340,12 @@ int X509V3_EXT_add_nconf_sk(CONF conf, X509V3_CTX ctx, char *section,
		val = sk_CONF_VALUE_value(nval, i);
		if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
		return 0;
		if (sk)
		X509v3_add_ext(sk, ext, -1);
		if (sk != NULL) {
		if (X509v3_add_ext(sk, ext, -1) == NULL) {
		X509_EXTENSION_free(ext);
		return 0;
		}
		}
		X509_EXTENSION_free(ext);
		}
		return 1;