Fix memory leak on invalid CertificateRequest.
Free up parsed X509_NAME structure if the CertificateRequest message contains excess data. The security impact is considered insignificant. This is a client side only leak and a large number of connections to malicious servers would be needed to have a significant impact. This was found by libFuzzer. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
This commit is contained in:
David Benjamin
Dr. Stephen Henson
parent
af2db04c99
commit
ec66c8c988
1 changed files with 2 additions and 0 deletions
|
|
@ -2199,6 +2199,7 @@ int ssl3_get_certificate_request(SSL *s)
|
|||
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
xn = NULL;
|
||||
|
||||
p += l;
|
||||
nc += l + 2;
|
||||
|
|
@ -2222,6 +2223,7 @@ int ssl3_get_certificate_request(SSL *s)
|
|||
err:
|
||||
s->state = SSL_ST_ERR;
|
||||
done:
|
||||
X509_NAME_free(xn);
|
||||
if (ca_sk != NULL)
|
||||
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
|
||||
return (ret);
|
||||
|
|
|
|||
Loading…
Reference in a new issue