From: rootvector2 <dxbnaveed.k@gmail.com>
Date: Wed, 27 May 2026 18:14:23 +0000 (+0530)
Subject: crypto/evp: fix double free of tmp_keymgmt in sig/kem/asym init
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=a21f77d;p=thirdparty%2Fopenssl.git

crypto/evp: fix double free of tmp_keymgmt in sig/kem/asym init

Commit ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free
on error path in do_sigver_init" has fixed double-free of tmp_keymgmt
in do_sigver_init() by setting it to NULL after EVP_KEYMGMT_free() call;
the same issue present in evp_kem_init(), evp_pkey_asym_cipher_init(),
and evp_pkey_signature_init().  Address it similarly, by setting
the pointers to NULL after *_free() calls.

Complements: ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init"
Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun May 31 11:03:15 2026
(Merged from https://github.com/openssl/openssl/pull/31312)
---

diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c
index bdcb8b59dc0..e31e601c638 100644
--- a/crypto/evp/asymcipher.c
+++ b/crypto/evp/asymcipher.c
@@ -102,7 +102,9 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation,
          * iteration we're on.
          */
         EVP_ASYM_CIPHER_free(cipher);
+        cipher = NULL;
         EVP_KEYMGMT_free(tmp_keymgmt);
+        tmp_keymgmt = NULL;
 
         switch (iter) {
         case 1:
diff --git a/crypto/evp/kem.c b/crypto/evp/kem.c
index 317db87b52a..92db9618929 100644
--- a/crypto/evp/kem.c
+++ b/crypto/evp/kem.c
@@ -97,7 +97,9 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation,
          * iteration we're on.
          */
         EVP_KEM_free(kem);
+        kem = NULL;
         EVP_KEYMGMT_free(tmp_keymgmt);
+        tmp_keymgmt = NULL;
 
         switch (iter) {
         case 1:
diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index 51a5f0c4df5..3737bc6ba4a 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -736,7 +736,9 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
              * iteration we're on.
              */
             EVP_SIGNATURE_free(signature);
+            signature = NULL;
             EVP_KEYMGMT_free(tmp_keymgmt);
+            tmp_keymgmt = NULL;
 
             switch (iter) {
             case 1: