Fix the error handling in i2v_AUTHORITY_KEYID Previously if an error path is entered a leak could result. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c index c8693a4..5abd35d 100644 --- a/crypto/x509/v3_akid.c +++ b/crypto/x509/v3_akid.c
@@ -40,29 +40,48 @@ STACK_OF(CONF_VALUE) *extlist) { - char *tmp; + char *tmp = NULL; + STACK_OF(CONF_VALUE) *origextlist = extlist, *tmpextlist; + if (akeyid->keyid) { tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length); if (tmp == NULL) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); return NULL; } - X509V3_add_value((akeyid->issuer || akeyid->serial) ? "keyid" : NULL, - tmp, &extlist); + if (!X509V3_add_value((akeyid->issuer || akeyid->serial) ? "keyid" : NULL, + tmp, &extlist)) { + OPENSSL_free(tmp); + ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB); + goto err; + } OPENSSL_free(tmp); } - if (akeyid->issuer) - extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); + if (akeyid->issuer) { + tmpextlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); + if (tmpextlist == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB); + goto err; + } + extlist = tmpextlist; + } if (akeyid->serial) { tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length); if (tmp == NULL) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } - X509V3_add_value("serial", tmp, &extlist); + if (!X509V3_add_value("serial", tmp, &extlist)) { + OPENSSL_free(tmp); + goto err; + } OPENSSL_free(tmp); } return extlist; + err: + if (origextlist == NULL) + sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free); + return NULL; } /*-
diff --git a/fuzz/corpora/x509/0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c b/fuzz/corpora/x509/0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c new file mode 100644 index 0000000..afb6c2d --- /dev/null +++ b/fuzz/corpora/x509/0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c Binary files differ