kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move free from cbb_init() to only CBB_init().

Browse Source 
CBB_init_fixed() should not call free because it can lead to use after
free or double free bugs.  The caller should be responsible for
creating and destroying the buffer.

In the current code, ssl3_get_v2_client_hello() may free s->init_buf->data
via CBB_init_fixed().  It can also be freed via SSL_free(s) since
ssl3_get_v2_client_hello() doesn't set it to NULL and CBB_init_fixed()
can't set the caller's pointer to NULL.

Change-Id: Ia05a67ae25af7eb4fb04f08f20d50d912b41e38b
This commit is contained in:
Doug Hogan 2015-02-01 19:46:09 -08:00 committed by Adam Langley
parent d660b57208
commit a84f06fc1e
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
crypto/bytestring/cbb.c
View File

@ -25,7 +25,6 @@ static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
if (base == NULL) {
OPENSSL_free(buf);
return 0;
}
@ -48,7 +47,12 @@ int CBB_init(CBB *cbb, size_t initial_capacity) {
return 0;
}
return cbb_init(cbb, buf, initial_capacity);
if (!cbb_init(cbb, buf, initial_capacity)) {
OPENSSL_free(buf);
return 0;
}
return 1;
}
int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {