From 2ddfe60be50bfeebd64e01b123fd7176e7226c87 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 1 May 2018 09:29:17 +0100 Subject: [PATCH] Fix a mem leak in CMS The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore memory management passes to OpenSSL. If the same function is called again then we should ensure that any previous value that was set is freed first before we set it again. Fixes #5052 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6142) (cherry picked from commit 3d551b20df1acd01f80d3ae00d37177e0fdf344a) --- crypto/cms/cms_env.c | 1 + crypto/cms/cms_smime.c | 1 + 2 files changed, 2 insertions(+) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 8d459435308..3ecda301cd1 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -282,6 +282,7 @@ int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, CMS_R_NOT_KEY_TRANSPORT); return 0; } + EVP_PKEY_free(ri->d.ktri->pkey); ri->d.ktri->pkey = pkey; return 1; } diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 7e7b6e5d4f7..76883bfb9bb 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) * all. */ else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_pkey(ri, NULL); -- 2.47.2