Avoid dangling ptrs in header and data params for PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we allocated for the header and data buffers. However we were not clearing the ptrs stored in *header and *data. Since, on success, the caller is responsible for freeing these ptrs this can potentially lead to a double free if the caller frees them even on failure. Thanks to Dawei Wang for reporting this issue. Based on a proposed patch by Kurt Roeckx. CVE-2022-4450 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
author: Matt Caswell <matt@openssl.org> 2022-12-13 14:54:55 +0000
committer: Richard Levitte <levitte@openssl.org> 2023-02-03 11:22:47 +0100
commit: bbcf509bd046b34cca19c766bbddc31683d0858b (patch)
tree: 250a6b890fbd34634b33f2468bc3dbe6b4bd0053
parent: 43d8f88511991533f53680a751e9326999a6a31f (diff)
download: openssl-new-bbcf509bd046b34cca19c766bbddc31683d0858b.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index d416d939ea..328c30cdbb 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
     *data = pem_malloc(len, flags);
     if (*header == NULL || *data == NULL) {
         pem_free(*header, flags, 0);
+        *header = NULL;
         pem_free(*data, flags, 0);
+        *data = NULL;
         goto end;
     }
     BIO_read(headerB, *header, headerlen);
author	Matt Caswell <matt@openssl.org>	2022-12-13 14:54:55 +0000
committer	Richard Levitte <levitte@openssl.org>	2023-02-03 11:22:47 +0100
commit	bbcf509bd046b34cca19c766bbddc31683d0858b (patch)
tree	250a6b890fbd34634b33f2468bc3dbe6b4bd0053
parent	43d8f88511991533f53680a751e9326999a6a31f (diff)
download	openssl-new-bbcf509bd046b34cca19c766bbddc31683d0858b.tar.gz