Fix a NULL deref in an error path

The SRP_create_verifier_BN function goes to the |err| label if the |salt| value passed to it is NULL. It is then deref'd. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-11-12 16:54:30 +0100
committer: Matt Caswell <matt@openssl.org> 2015-11-26 13:02:03 +0100
commit: 3bbd1d63e2d77e4e36e869640086f74714b3a4ee (patch)
tree: a0c9fadf1456e5a5d7460805834e9f1cf4b4f498 /crypto/srp
parent: Add documentation for BN_with_flags (diff)
download: openssl-3bbd1d63e2d77e4e36e869640086f74714b3a4ee.tar.xz
openssl-3bbd1d63e2d77e4e36e869640086f74714b3a4ee.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index e81ae01779..b271c9904c 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -644,7 +644,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     *salt = salttmp;
 
  err:
-    if (*salt != salttmp)
+    if (salt != NULL && *salt != salttmp)
         BN_clear_free(salttmp);
     BN_clear_free(x);
     BN_CTX_free(bn_ctx);
author	Matt Caswell <matt@openssl.org>	2015-11-12 16:54:30 +0100
committer	Matt Caswell <matt@openssl.org>	2015-11-26 13:02:03 +0100
commit	3bbd1d63e2d77e4e36e869640086f74714b3a4ee (patch)
tree	a0c9fadf1456e5a5d7460805834e9f1cf4b4f498 /crypto/srp
parent	Add documentation for BN_with_flags (diff)
download	openssl-3bbd1d63e2d77e4e36e869640086f74714b3a4ee.tar.xz openssl-3bbd1d63e2d77e4e36e869640086f74714b3a4ee.zip