git.ipfire.org Git - thirdparty/openssl.git/commit

author	Andrey Tsygunka <aitsygunka@yandex.ru>
	Thu, 10 Apr 2025 06:57:41 +0000 (09:57 +0300)
committer	Neil Horman <nhorman@openssl.org>
	Thu, 23 Oct 2025 12:18:35 +0000 (08:18 -0400)
commit	11e1ea9d4d0c9a5e84b944535332aebf673e82f0
tree	0dce6ab387a8ff8346e81660e3cf3cfc7957ba05	tree \| snapshot
parent	9ef4f426157e8a100b816c962fea1a168010bde2	commit \| diff

Fix memory leak in x509_pubkey_ex_d2i_ex()

If the call to ASN1_item_ex_d2i() from x509_pubkey_ex_d2i_ex() fails
*pval is freed by asn1_item_ex_d2i_intern()->ASN1_item_ex_free()->ossl_asn1_item_embed_free()
inside the ASN1_item_ex_d2i() function without freeing the
string buffer X509_PUBKEY::propq that was previously allocated
in x509_pubkey_ex_new_ex() and we lose the pointer to this buffer.

The function we are fixing here is one of the functions used
to define X509_PUBKEY - so any operations that work directly
on X509_PUBKEY_INTERNAL should be prevented from freeing
the structure because they don't know how to handle it.

Signed-off-by: Andrey Tsygunka <aitsygunka@yandex.ru>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27333)

crypto/asn1/tasn_dec.c		diff \| blob \| blame \| history
crypto/x509/x_pubkey.c		diff \| blob \| blame \| history
include/crypto/asn1.h		diff \| blob \| blame \| history