Fix memory leak on invalid CertificateRequest. Free up parsed X509_NAME structure if the CertificateRequest message contains excess data. The security impact is considered insignificant. This is a client side only leak and a large number of connections to malicious servers would be needed to have a significant impact. This was found by libFuzzer. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>

commit: 6afef8b1fb679df7d6a8606d713192c9907b1890 [log] [tgz]
author: David Benjamin <davidben@google.com> Mon Mar 14 15:03:07 2016 -0400
committer: Dr. Stephen Henson <steve@openssl.org> Thu Apr 07 19:22:20 2016 +0100
tree: e2113ce4f8371a8491c69ecce082509a4b71388a
parent: d1094383df07cc8ae266c04cf3ace782447b4d5b [diff] [blame]
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 73f54bc..4806e67 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c

@@ -1863,6 +1863,7 @@
             SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
+        xn = NULL;
     }
 
     /* we should setup a certificate to return.... */
@@ -1877,6 +1878,7 @@
  err:
     ossl_statem_set_error(s);
  done:
+    X509_NAME_free(xn);
     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
     return ret;
 }
commit	6afef8b1fb679df7d6a8606d713192c9907b1890	[log] [tgz]
author	David Benjamin <davidben@google.com>	Mon Mar 14 15:03:07 2016 -0400
committer	Dr. Stephen Henson <steve@openssl.org>	Thu Apr 07 19:22:20 2016 +0100
tree	e2113ce4f8371a8491c69ecce082509a4b71388a
parent	d1094383df07cc8ae266c04cf3ace782447b4d5b [diff] [blame]