From: Yann Ylavic Date: Thu, 12 Mar 2015 20:50:09 +0000 (+0000) Subject: ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68518a98af7859e8a7c1b5861f429f9cd72b1bb1;p=thirdparty%2Fapache%2Fhttpd.git ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when checking the server certificate constraints (SSL_X509_getBC()). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1666297 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index c5f00060c8c..3290d62bbbc 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,9 @@ Changes with Apache 2.5.0 to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. [Yann Ylavic] + *) mod_ssl: Fix possible crash when loading server certificate constraints. + PR 57694. [Paul Spangler , Yann Ylavic] + *) core, modules: Avoid error response/document handling by the core if some handler or input filter already did it while reading the request (causing a double response body). [Yann Ylavic] diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index 8a41fff7f58..a1fca36202c 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -173,12 +173,17 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen) *ca = bc->ca; *pathlen = -1 /* unlimited */; if (bc->pathlen != NULL) { - if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL) + if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL) { + BASIC_CONSTRAINTS_free(bc); return FALSE; - if ((cp = BN_bn2dec(bn)) == NULL) + } + if ((cp = BN_bn2dec(bn)) == NULL) { + BN_free(bn); + BASIC_CONSTRAINTS_free(bc); return FALSE; + } *pathlen = atoi(cp); - free(cp); + OPENSSL_free(cp); BN_free(bn); } BASIC_CONSTRAINTS_free(bc);