Skip to content

Commit

Permalink
Fix potential double free through SRP_user_pwd_set1_ids()
Browse files Browse the repository at this point in the history 
If SRP_user_pwd_set1_ids() fails during one of the duplications, or id
is NULL, then the old pointer values are still stored but they are now dangling.
Later when SRP_user_pwd_free() is called these are freed again,
leading to a double free.

Although there are no such uses in OpenSSL as far as I found,
it's still a public API.

CLA: trivial

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#25655)

(cherry picked from commit 792b2c8)
  • Loading branch information
@nielsdos @t8m
nielsdos authored and t8m committed Oct 11, 2024
1 parent 24a0aa4 commit 3f560b2
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions crypto/srp/srp_vfy.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,8 @@ int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id,
{
OPENSSL_free(vinfo->id);
OPENSSL_free(vinfo->info);
vinfo->id = NULL;
vinfo->info = NULL;
if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id)))
return 0;
return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info)));
Expand Down

0 comments on commit 3f560b2

Please sign in to comment.