diff options
| author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2024-03-12 20:04:56 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-08-16 10:07:52 +0200 |
| commit | d550d2aae531c6fa2e10b1a30d2acdf373663889 (patch) | |
| tree | 8722e0104bbfa7432c70a21a9360a2732fb444d9 /crypto | |
| parent | Extend test case for reused PEM_ASN1_read_bio (diff) | |
| download | openssl-d550d2aae531c6fa2e10b1a30d2acdf373663889.tar.xz openssl-d550d2aae531c6fa2e10b1a30d2acdf373663889.zip | |
Fix unpredictible refcount handling of d2i functions
The passed in reference of a ref-counted object
is free'd by d2i functions in the error handling.
However if it is not the last reference, the
in/out reference variable is not set to null here.
This makes it impossible for the caller to handle
the error correctly, because there are numerous
cases where the passed in reference is free'd
and set to null, while in other cases, where the
passed in reference is not free'd, the reference
is left untouched.
Therefore the passed in reference must be set
to NULL even when it was not the last reference.
Fixes #23713
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asn1/tasn_fre.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c index 13aa6a728e..9035bc1b5c 100644 --- a/crypto/asn1/tasn_fre.c +++ b/crypto/asn1/tasn_fre.c @@ -85,8 +85,12 @@ void ossl_asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: - if (ossl_asn1_do_lock(pval, -1, it) != 0) /* if error or ref-counter > 0 */ + if (ossl_asn1_do_lock(pval, -1, it) != 0) { + /* if error or ref-counter > 0 */ + OPENSSL_assert(embed == 0); + *pval = NULL; return; + } if (asn1_cb) { i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL); if (i == 2) |