From: Daniel Gustafsson Date: Wed, 14 Dec 2022 09:14:27 +0000 (+0100) Subject: x509asn1: avoid freeing unallocated pointers X-Git-Tag: curl-7_87_0~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b19247e794cfdf4ec63c5880d8f4f5485f653ab;p=thirdparty%2Fcurl.git x509asn1: avoid freeing unallocated pointers When utf8asn1str fails there is no allocation returned, so freeing the return pointer in **to is at best a no-op and at worst a double- free bug waiting to happen. The current coding isn't hiding any such bugs but to future proof, avoid freeing the return value pointer iff the function failed. Closes: #10087 Reviewed-by: Daniel Stenberg --- diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c index a3e4d7ec36..e0b7e53be3 100644 --- a/lib/vtls/x509asn1.c +++ b/lib/vtls/x509asn1.c @@ -1349,14 +1349,15 @@ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, break; switch(name.tag) { case 2: /* DNS name. */ + matched = 0; len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, name.beg, name.end); - if(len > 0 && (size_t)len == strlen(dnsname)) - matched = Curl_cert_hostcheck(dnsname, (size_t)len, - connssl->hostname, hostlen); - else - matched = 0; - free(dnsname); + if(len > 0) { + if(size_t)len == strlen(dnsname) + matched = Curl_cert_hostcheck(dnsname, (size_t)len, + connssl->hostname, hostlen); + free(dnsname); + } break; case 7: /* IP address. */ @@ -1406,10 +1407,8 @@ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, failf(data, "SSL: unable to obtain common name from peer certificate"); else { len = utf8asn1str(&dnsname, elem.tag, elem.beg, elem.end); - if(len < 0) { - free(dnsname); + if(len < 0) return CURLE_OUT_OF_MEMORY; - } if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */ failf(data, "SSL: illegal cert name field"); else if(Curl_cert_hostcheck((const char *) dnsname,