diff options
Diffstat (limited to 'openssl0.9.8/patches/CVE-2011-4109.patch')
-rw-r--r-- | openssl0.9.8/patches/CVE-2011-4109.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/openssl0.9.8/patches/CVE-2011-4109.patch b/openssl0.9.8/patches/CVE-2011-4109.patch new file mode 100644 index 0000000..b602938 --- /dev/null +++ b/openssl0.9.8/patches/CVE-2011-4109.patch @@ -0,0 +1,60 @@ +diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c +index f28796e..acd2ede 100644 +--- a/crypto/x509v3/pcy_map.c ++++ b/crypto/x509v3/pcy_map.c +@@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF * const *a, + + static void policy_map_free(X509_POLICY_REF *map) + { +- if (map->subjectDomainPolicy) +- ASN1_OBJECT_free(map->subjectDomainPolicy); + OPENSSL_free(map); + } + +@@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) + { + POLICY_MAPPING *map; + X509_POLICY_REF *ref = NULL; ++ ASN1_OBJECT *subjectDomainPolicyRef; + X509_POLICY_DATA *data; + X509_POLICY_CACHE *cache = x->policy_cache; + int i; +@@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) + if (!sk_ASN1_OBJECT_push(data->expected_policy_set, + map->subjectDomainPolicy)) + goto bad_mapping; ++ /* map->subjectDomainPolicy will be freed when ++ * cache->data is freed. Set it to NULL to avoid double-free. */ ++ subjectDomainPolicyRef = map->subjectDomainPolicy; ++ map->subjectDomainPolicy = NULL; + + ref = OPENSSL_malloc(sizeof(X509_POLICY_REF)); + if (!ref) + goto bad_mapping; + +- ref->subjectDomainPolicy = map->subjectDomainPolicy; +- map->subjectDomainPolicy = NULL; ++ ref->subjectDomainPolicy = subjectDomainPolicyRef; + ref->data = data; + + if (!sk_X509_POLICY_REF_push(cache->maps, ref)) +diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c +index 89f84bf..92ad0a2 100644 +--- a/crypto/x509v3/pcy_tree.c ++++ b/crypto/x509v3/pcy_tree.c +@@ -612,6 +612,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, + case 2: + return 1; + ++ /* Some internal error */ ++ case -1: ++ return -1; ++ + /* Some internal error */ + case 0: + return 0; +@@ -691,4 +695,3 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, + return 0; + + } +- |