From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 9 Oct 2024 21:00:13 +0000 (+0200)
Subject: Fix potential double free through SRP_user_pwd_set1_ids()
X-Git-Tag: openssl-3.0.16~96
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3451b13b6f131fed8aeede095e1ff7e59ee3f7d9;p=thirdparty%2Fopenssl.git

Fix potential double free through SRP_user_pwd_set1_ids()

If SRP_user_pwd_set1_ids() fails during one of the duplications, or id
is NULL, then the old pointer values are still stored but they are now dangling.
Later when SRP_user_pwd_free() is called these are freed again,
leading to a double free.

Although there are no such uses in OpenSSL as far as I found,
it's still a public API.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25655)

(cherry picked from commit 792b2c8da283d4230caa761ea6f5d050cb5795e7)
---

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 96d511ffe63..4b842dfd912 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -216,6 +216,8 @@ int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id,
 {
     OPENSSL_free(vinfo->id);
     OPENSSL_free(vinfo->info);
+    vinfo->id = NULL;
+    vinfo->info = NULL;
     if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id)))
         return 0;
     return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info)));