ts: fix double free on error path.

In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299. In the implementation of ts_compute_imprint, it allocates md_alg at line 406. But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439. After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token. In the err branch, md_alg will be freed in the second time at line 320. Bug reported by @Yunlongs Fixes #14914 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14921)
2025-02-23 14:42:15 +08:00 · 2021-04-19 08:55:37 +10:00 · 2021-04-19 08:55:37 +10:00 · db78c84eb2
commit db78c84eb2
parent b06450bcf7
1 changed files with 1 additions and 0 deletions
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@ -437,6 +437,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
 err:
    EVP_MD_CTX_free(md_ctx);
    X509_ALGOR_free(*md_alg);
+    *md_alg = NULL;
    OPENSSL_free(*imprint);
    *imprint_len = 0;
    *imprint = 0;