Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209 (Imported from upstream's 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.) Change-Id: Ic2e5dc5c96e316c55f76bedc6ea55b416be3287a Reviewed-on: https://boringssl-review.googlesource.com/4049 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2015-03-19 22:06:48 +0300
committer: Adam Langley <agl@google.com> 2015-03-19 22:50:32 +0300
commit: 4b1510c71ecadeb15e866f17086487a2d9691b48 (patch)
tree: 281b217031066a44e664c5ae310748442235654c /crypto/ec/ec_asn1.c
parent: 7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index ab523897..87e91e1f 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -509,18 +509,21 @@ EC_KEY *d2i_ECParameters(EC_KEY **key, const uint8_t **inp, long len) {
       OPENSSL_PUT_ERROR(EC, d2i_ECParameters, ERR_R_MALLOC_FAILURE);
       return NULL;
     }
-    if (key) {
-      *key = ret;
-    }
   } else {
     ret = *key;
   }
 
   if (!d2i_ECPKParameters(&ret->group, inp, len)) {
     OPENSSL_PUT_ERROR(EC, d2i_ECParameters, ERR_R_EC_LIB);
+    if (key == NULL || *key == NULL) {
+      EC_KEY_free(ret);
+    }
     return NULL;
   }
 
+  if (key) {
+    *key = ret;
+  }
   return ret;
 }
author	David Benjamin <davidben@chromium.org>	2015-03-19 22:06:48 +0300
committer	Adam Langley <agl@google.com>	2015-03-19 22:50:32 +0300
commit	4b1510c71ecadeb15e866f17086487a2d9691b48 (patch)
tree	281b217031066a44e664c5ae310748442235654c /crypto/ec/ec_asn1.c
parent	7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11 (diff)