From: zekeevans-mf <77804765+zekeevans-mf@users.noreply.github.com> Date: Thu, 21 Jan 2021 19:24:51 +0000 (-0700) Subject: Add deep copy of propq field in mac_dupctx to avoid double free X-Git-Tag: openssl-3.0.0-alpha12~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcb61b39b47419b9de1dbc37cd2f67b71eeb23ea;p=thirdparty%2Fopenssl.git Add deep copy of propq field in mac_dupctx to avoid double free mac_dupctx() should make a copy of the propq field. Currently it does a shallow copy which can result in a double free and crash. The double free occurs when using a provider property string. For example, passing in "fips=no" to SSL_CTX_new_ex() causes the propq field to get set to that value. When mac_dupctx() and mac_freectx() is called (ie: in SSL_write()) it ends up freeing the reference of the original object instead of a copy. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13926) --- diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index 7d23e36f2b7..23865830699 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -172,9 +172,13 @@ static void *mac_dupctx(void *vpmacctx) return NULL; *dstctx = *srcctx; + dstctx->propq = NULL; dstctx->key = NULL; dstctx->macctx = NULL; + if (srcctx->propq != NULL && (dstctx->propq = OPENSSL_strdup(srcctx->propq)) == NULL) + goto err; + if (srcctx->key != NULL && !ossl_mac_key_up_ref(srcctx->key)) goto err; dstctx->key = srcctx->key;