]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c89b553)
Fix a possible use after free in X509v3_asid_add_id_or_range
authorBernd Edlinger <bernd.edlinger@hotmail.de>
Wed, 15 Nov 2023 19:49:51 +0000 (20:49 +0100)
committerTomas Mraz <tomas@openssl.org>
Fri, 1 Dec 2023 10:03:24 +0000 (11:03 +0100)
And clean up partially created choice objects, which have
still the default type = -1 from ASIdentifierChoice_new().

Fixes #22700

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22745)

crypto/x509/v3_asid.c patch | blob | blame | history

diff --git a/crypto/x509/v3_asid.c b/crypto/x509/v3_asid.c
index d1c3dd5d9ffd21e69bd1c2946b7f11abe0a95d2a..251243b7237320141e5c4fb54650d4d230922ecb 100644 (file)
--- a/crypto/x509/v3_asid.c
+++ b/crypto/x509/v3_asid.c
@@ -169,8 +169,11 @@ int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
     if (*choice == NULL) {
         if ((*choice = ASIdentifierChoice_new()) == NULL)
             return 0;
-        if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
+        if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) {
+            ASIdentifierChoice_free(*choice);
+            *choice = NULL;
             return 0;
+        }
         (*choice)->type = ASIdentifierChoice_inherit;
     }
     return (*choice)->type == ASIdentifierChoice_inherit;
@@ -196,18 +199,23 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
     default:
         return 0;
     }
-    if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
+    if (*choice != NULL && (*choice)->type != ASIdentifierChoice_asIdsOrRanges)
         return 0;
     if (*choice == NULL) {
         if ((*choice = ASIdentifierChoice_new()) == NULL)
             return 0;
         (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
-        if ((*choice)->u.asIdsOrRanges == NULL)
+        if ((*choice)->u.asIdsOrRanges == NULL) {
+            ASIdentifierChoice_free(*choice);
+            *choice = NULL;
             return 0;
+        }
         (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
     }
     if ((aor = ASIdOrRange_new()) == NULL)
         return 0;
+    if (!sk_ASIdOrRange_reserve((*choice)->u.asIdsOrRanges, 1))
+        goto err;
     if (max == NULL) {
         aor->type = ASIdOrRange_id;
         aor->u.id = min;
@@ -220,7 +228,8 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
         ASN1_INTEGER_free(aor->u.range->max);
         aor->u.range->max = max;
     }
-    if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
+    /* Cannot fail due to the reservation above */
+    if (!ossl_assert(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
         goto err;
     return 1;
 
Mirror of https://github.com/openssl/openssl.git