check_cert(): be sure to reset ctx->current_crl to NULL before freeing it.

X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon
failure, for we did not allocate it and it might not come from the heap,
such as in check_crl_path() in this very same file where X509_STORE_CTX_init()
gets invoked with a stack address.

ok bcook@

1 files changed, 5 insertions, 10 deletions

diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c
index ae8484a8857..cda8aeafa9d 100644
--- a/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.37 2014/07/17 07:13:02 logan Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.38 2014/09/29 04:20:14 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -747,6 +747,7 @@ check_cert(X509_STORE_CTX *ctx)
 				goto err;
 		}
 
+		ctx->current_crl = NULL;
 		X509_CRL_free(crl);
 		X509_CRL_free(dcrl);
 		crl = NULL;
@@ -762,10 +763,9 @@ check_cert(X509_STORE_CTX *ctx)
 	}
 
 err:
+	ctx->current_crl = NULL;
 	X509_CRL_free(crl);
 	X509_CRL_free(dcrl);
-
-	ctx->current_crl = NULL;
 	return ok;
 }
 
@@ -2100,13 +2100,8 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->check_policy = check_policy;
 
 
-	/* This memset() can't make any sense anyway, so it's removed. As
-	 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
-	 * corresponding "new" here and remove this bogus initialisation. */
-	/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
-	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
-	    &(ctx->ex_data))) {
-		free(ctx);
+	if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+	    &(ctx->ex_data)) == 0) {
 		X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}