From: Richard Levitte Date: Tue, 20 Apr 2021 06:43:30 +0000 (+0200) Subject: ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse X-Git-Tag: openssl-3.0.0-alpha16~124 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1727465471e800548694da96b8970743b7efa7ff;p=thirdparty%2Fopenssl.git ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14938) (cherry picked from commit 65b88a75921533ada8b465bc8d5c0817ad927947) --- diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 3740f608c51..c96c36e7302 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -291,16 +291,13 @@ ASN1_OBJECT *ossl_c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, } } - /* - * only the ASN1_OBJECTs from the 'table' will have values for ->sn or - * ->ln - */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) return NULL; - } else + } else { ret = (*a); + } p = *pp; /* detach data from object */ @@ -318,6 +315,12 @@ ASN1_OBJECT *ossl_c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA; } memcpy(data, p, length); + /* If there are dynamic strings, free them here, and clear the flag */ + if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) { + OPENSSL_free((char *)ret->sn); + OPENSSL_free((char *)ret->ln); + ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS; + } /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length;